In addition to training for core skills and emerging technologies, IT teams need training to combat evolving security threats.
After years of being targeted for post-Great Recession budget cuts, the average IT training budget increased 56 percent between 2014 and 2015, according to the CEB CIO Leadership Council. In addition to training for core skills and emerging technologies, IT teams need training to combat evolving security threats.
Unfortunately, too many organizations limit IT security training. "Most people think of cybersecurity training as a specialization," Bill Rosenthal, CEO of Logical Operations, tells CSO. "They look at the larger IT organization, and they identify the people within that organization that are responsible for IT security, and they train the bejesus out of those people."
But by the time a cyberthreat makes it to that level of the food chain, it's already become a big problem. "You really have to get frontline IT staff ... to be able to recognize what the signs are of cybersecurity problems and be able to deal with them."
Hiring vs. Training
You may think hiring a security expert is the best way to protect your organization, but hiring is going to cost you — and it's probably going to take a long time.
Between 2017 and 2021, according to CSO, worldwide spending on cyberdefense products will jump to $1 trillion. By 2019, market expansion will lead to 1.5 million cybersecurity job openings. Qualified employees will command $6,500 more per year, on average, than the everyday IT worker, with big executive-level jobs, like director of security or CISO, commanding paydays of $175,000 per year or more.
As Veronica Mollica of Indigo Partners tells CSO, the cybersecurity job market is on fire. "Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%. Current employers are scrambling to retain talent with counter offers including 10% and higher salary increases for information security team members to remain on board."
Additionally, many applicants for security positions don't have the qualifications employees need. According to a recent ISACA and RSA Conference survey, over half of organizations surveyed said it takes three months or more to fill open security positions.
Get the IT Security Training Budget You Need
With IT training budgets trending upward, now is the time to seize the security training dollars you need.
Start With Compliance
A recent Bay Dynamics survey found that corporate board members worry more about regulatory noncompliance than they do about embarrassing data breaches. Concern about lawsuits and regulatory fines has increased elevenfold as boards face increasing pressure from government agencies and industry watchdogs.
SANS has published and periodically updates a white paper entitled "Security Awareness Compliance Requirements." Within the paper, SANS lists 15 regulatory frameworks, from PCI DSS to the European Union's Data Protection Directive, including language within each framework requiring organizations to provide security training.
Negotiating tip: Show higher-ups the SANS paper language requiring IT training as part of compliance. Additionally, demonstrate what organizations like yours have paid for noncompliance, including compensatory damages and regulatory fines.
Show That Training Is Cheaper
An information security analyst in the U.S., according to the Bureau of Labor Statistics, makes a median annual wage of $90,120. Paying for one IT worker to earn CompTIA Security+ certification costs less than $1,000.
Jon Ramsey, CTO of DellSecureWorks, told TechTarget he tackles the skills gap by training current IT pros. "We use a farm league to develop the talents we need. We can put a junior member of the team with a more senior person for training, send them to an engagement and not charge for the trainee."
Negotiating tip: Demonstrate the low cost of training versus hiring dedicated security analysts. Develop a plan similar to Jon Ramsey's farm-team approach, which can include paying for certifications, providing tuition reimbursement and sending IT pros to competitions, conventions and hackathons.
Prep for Emergencies
Most organizations don't need to hire a full-time security specialist or CISO. What you do need, however, is a plan for bringing in serious expertise when it's warranted. You may also want to hire compliance experts, like ISO certification providers, to inspect your existing systems and procedures for vulnerabilities.
Negotiating tip: In addition to preparing an IT training budget, draw up a plan for bringing in consultants, managed security providers or incident response teams when needed. Explain the potential ROI for hiring these experts, which means showing how these expenditures cost less than data breaches, litigation, fines and replacing executives who may be fired in the aftermath of a breach.
Make Continuous Training Part of Your Budget
A one-time IT training initiative won't be enough to stay ahead of ongoing security challenges. Once you make the case for security training, fight for it as a continuous line item in your budget, always providing a numbers-based argument for its inclusion.