Five scenarios that waste your cybersecurity training budgethttps://www.cybervista.net/wp-content/uploads/2022/01/Blog_wastedbudget.png1200628CyberVistaCyberVistahttps://www.cybervista.net/wp-content/uploads/2022/01/Blog_wastedbudget.png
Some training methods may be costing you more than you realize.
According to PWC, investment in cybersecurity is expected to rise in 2022, with 42% of survey respondents expecting an increase between one and ten percent in budget, and 26% expecting an increase of ten percent or more. With the average cost of a data breach rising 10% YoY, from $3.86M to $4.24M (except in the US, topping the list at $9.05M), it’s understandable that we would also see rising cybersecurity budgets.
One line item in the budget that cybersecurity leaders are looking to expand on is training and upskilling their workforce to meet these growing threats. However, not all approaches to training yield the same outcomes, and some may be costing you more than you realize. Here are five scenarios that may be wasting your cybersecurity training budget:
Scenario #1 – Taking a blanket enterprise approach.
Why do it – Online subscription services provide access to an extensive video content library covering a wide range of topics for a low cost. This can be appealing for larger organizations looking to accommodate multiple teams or for smaller organizations with a limited budget.
Why it’s not effective – While it seems efficient to provide employees free reign to unlimited content, you run the risk of options overload. This method neglects the unique needs of employees and typically lacks guidance on where to begin, leading to low engagement, effort spent in the wrong places, and ultimately wasted budget.
What to do instead –Continue using this method if cost is the main issue, however, don’t go into it blindly. It’s important to first understand the different roles within your organization and their unique responsibilities in order to have a better baseline of expected competency outcomes following training. Take the time to meet with different practitioners or their department leaders to gain perspective.
Scenario #2 – Allowing employees to self-select training.
Why do it – Choosing the training they’re interested in gives employees more autonomy towards their career development. This also offers a more hands-off approach for leaders, who understand the importance of training and development, but may not have the bandwidth or full grasp of how to approach a comprehensive training solution.
Why it’s not effective – The cost of being hands-off with your employees’ training may have more consequences beyond the financial. Without proper regulation, you can increase soft costs by having to manage multiple training vendors. Moreover, inconsistent training equates to inconsistent results, making it that much more difficult to measure ROI and actual performance change.
What to do instead – Cybersecurity leaders need to be more involved when it comes to upskilling their employees. For the staff, knowing that their contribution and voice matter and the company is willing to invest in their growth is important. By stepping in, you can provide thoughtful guidance and a clearer pathway towards their career goals.
Scenario #3 – Continuing with the same vendor despite costs.
Why do it – Change is hard. Even if there are things you like or would like to change about your current training solution, it’s more convenient to maintain the status quo than to deal with long internal administrative processes to implement a new solution. There is also potential for employee pushback, as well.
Why it’s not effective – Blind loyalty to a vendor simply out of convenience may not be doing your employees any favors. What worked in previous years may not be the right training needed to keep up with evolving responsibilities and technologies.
What to do instead – Due diligence with both the vendor and with your employees is required to ensure alignment between what your team(s) need and what the vendor offers to meet those needs. Things to consider: learning modalities (live online vs. self-paced), supporting learning tools, and relevant role-based content, among other factors.
Scenario #4 – Using training as a reward or incentive.
Why do it – Typically, this reward comes in the form of a week-long cybersecurity bootcamp held at a popular vacation destination. Giving high-performing employees (and sometimes their families) an opportunity to travel is a tactic in combating abysmal retention rates industry-wide. Training feels like a sponsored vacation rather than a focused study environment.
Why it’s not effective – Hot take: This is a BAD training method. Rewarding only high-performing employees with training sends the wrong message about how your company views professional development. Additionally, the costs associated with these training getaways add up quickly—and they aren’t justified by practical application to their jobs after they return.
What to do instead – Save yourself the money and put it towards a quality online solution that can accommodate more of your team members for the same cost of sending one person to a bootcamp.
Scenario #5 – Not using (the right) data to determine actual needs.
Why do it – Some training providers have analytics showing employee performance, engagement, and attendance. But it’s not enough anymore. Data has become increasingly important in the evolution of cybersecurity workforce development and training. It helps justify budgets, team or departmental performance, evaluate compliance, and more.
Why it’s not effective – Most providers can’t show you where employee competencies lay. Here’s what tends to happen: vendors recommend a particular program without much investigation into the makeup of the workforce, creating a false narrative about actual training needs, and consequently having a negative impact on training effectiveness.
What to do instead – Find a partner that can provide a clear and thorough analysis of employees’ actual skill strengths and shortcomings, AND detailed insights on how to remediate them. Having the right data helps you measure twice to cut once: assess skills first to better evaluate training options, then invest accordingly.
Make your training dollars go further.
Before selecting training, employers need to set expectations and desired goals for their employees. Set time aside to properly evaluate your current solution against present needs and upcoming initiatives within your organization. Having KPIs outlined, plus a thorough understanding of the current state of your workforce, can help generate the right data to effectively assess outcomes following your selected training engagement.
Taking the time to organize your cybersecurity workforce strategy can help your employees keep pace with organizational changes while also helping you create more opportunities to elevate your workforce.