N2K Blog: 5 scenarios that waste your cybersecurity training budget

Five scenarios that waste your cybersecurity training budget

Five scenarios that waste your cybersecurity training budget 1200 628 N2K

Some training methods may be costing you more than you realize.

Even with predictions of cybersecurity investments to increase in 2023, economic uncertainty has moved security leaders to rethink their organizational cybersecurity strategies, and in that, how they’re sourcing and developing their cyber talent. When recruiting budgets are set on pause, more organizations are embracing the idea of investing in training and upskilling their current workforce to keep pace with shifting priorities.

However, not all approaches to training yield the same outcomes, and some may be costing you more than you realize. Here are five scenarios that may be wasting your cybersecurity talent development and training budget:

Scenario #1 – Taking a blanket enterprise approach.

  • Why do it – Online subscription services provide access to an extensive video content library covering a wide range of topics at a low cost. This can be appealing for larger organizations looking to accommodate multiple teams or for smaller organizations with a limited budget. 
  • Why it’s not effective – While it seems efficient to provide employees free reign to unlimited content, you run the risk of options overload. This method neglects the unique needs of employees and typically lacks guidance on where to begin, leading to low engagement, effort spent in the wrong places, and ultimately wasted budget.
  • What to do instead – Continue using this method if cost is the main issue, however, don’t go into it blindly. It’s important to first understand the different roles within your organization and desired skill expectations in order to have better insights to evaluate against outcomes following training. Take the time to meet with practitioners or their department leaders to gain perspective on what they do, what they want to do but can’t, and what’s needed to help them get there.

Scenario #2 – Allowing employees to self-select training.

  • Why do it Choosing the training they’re interested in gives employees more autonomy towards their career development. This also offers a more hands-off approach for leaders, who understand the importance of training and development, but may not have the bandwidth or full grasp of how to approach building a holistic cyber talent development strategy.
  • Why it’s not effective The cost of being hands-off with your employees’ training may have more consequences beyond the financial. Without proper regulation, you can increase soft costs by managing multiple training vendors. Moreover, inconsistent training equates to inconsistent results, making it that much more difficult to measure ROI and actual performance change.
  • What to do instead – Cybersecurity leaders need to be more involved when it comes to upskilling their employees. For the staff, knowing that their contribution and voice matter and that the company is willing to invest in their growth is essential. By stepping in, you can provide thoughtful guidance and a clearer pathway toward their career goals.

Scenario #3 – Continuing with the same vendor despite costs.

  • Why do it Change is hard. Even if there are things you like or would like to change about your current training solution, it’s more convenient to maintain the status quo than to deal with long internal administrative processes to implement a new solution. There is also potential for employee pushback, as well.
  • Why it’s not effective Blind loyalty to a vendor simply out of convenience may not be doing your employees any favors. What worked in previous years may not be the right training needed to keep up with evolving responsibilities and technologies. 
  • What to do instead – Due diligence with both the vendor and your employees is required to ensure alignment between what your team(s) need and what the vendor offers to meet those needs. Things to consider: your cyber org chart, skill expectations for each role, learning modalities (live online vs. self-paced), supporting learning tools, and relevant role-based content, among other factors.

Scenario #4 – Using training as a reward or incentive.

  • Why do it Typically, this reward comes in the form of a week-long cybersecurity bootcamp held at a popular vacation destination. Giving high-performing employees (and sometimes their families) an opportunity to travel is a tactic in combating abysmal retention rates industry-wide. Training feels like a sponsored vacation rather than a focused study environment.
  • Why it’s not effective Hot take: This is a BAD training method. Rewarding only high-performing employees with training sends the wrong message about how your company views professional development. Additionally, the costs associated with these training getaways add up quickly—and they aren’t justified by practical application to their jobs after they return.
  • What to do instead – Save yourself the money and put it towards a quality online solution that can accommodate more of your team members for the same cost of sending one person to a bootcamp. 

Scenario #5 – Not using (the right) data to determine actual needs.

  • Why do it – Some training providers have analytics showing employee performance, engagement, and attendance. But it’s not enough anymore. Data has become increasingly important in the evolution of cybersecurity workforce development and training. Having the right insights help justify budgets, team or departmental performance, evaluate compliance, and more. 
  • Why it’s not effective Most providers can’t show you where employee competencies lay. Here’s what tends to happen: vendors recommend a particular program without much investigation into the makeup of the workforce, creating a false narrative about actual training needs, and consequently having a negative impact on training effectiveness.
  • What to do instead – Find a partner that can provide a clear and thorough analysis of your cyber org chart, employees’ actual skill strengths and shortcomings, AND detailed insights on how to remediate them. Having the right insights provides an easier way to build and continuously adapt your cyber talent strategy by assessing roles and skills first to better evaluate training options, then investing accordingly.

Make your training dollars go further.

Before selecting training, employers need to set expectations and desired goals for their employees. Set time aside to properly evaluate your current solution against present needs and upcoming initiatives within your organization. Having KPIs outlined, plus a thorough understanding of the current state of your workforce, can help generate the right insights to effectively assess outcomes following your selected training engagement. 

Taking the time to organize your cybersecurity workforce development strategy can help your employees keep pace with organizational changes while also helping you create more opportunities to elevate your people. 

N2K takes a data-driven approach to strategic cyber workforce intelligence. Powered by skills diagnostics and market data, you have a consistent health check into where your teams needs work so you can identify and fill skills gaps faster and more seamlessly while ensuring time and budget invested are as impactful as possible.

Additional Resources:


Ready to learn more about our training solutions?

All of the training you need, with none of the training you don’t. We offer enterprise cybersecurity training solutions that fall into these buckets. Click below to learn more.

Diagnostic Assessment

Start with a skills baseline so you can deploy the most relevant training to address cybersecurity skills gaps.

Role-Based Training

Integrate role-specific knowledge and skills to improve job performance beyond certification attainment.

Certification Prep

Certify your team with comprehensive courses for top titles, plus practice tests and labs for 100+ certs.

Professional Services

Match skills to job roles, update job profiles and career pathways, and align strategy to the NICE Framework.