Train-Up or Hire-In?
The Pros and Cons of IT Security Training
Whether you’ve been hit with an attack, or are just seeing all the breaches happening in the news daily, you may be concerned that your security tools are just not going to cut it anymore. Along with data security awareness training for your non-technical employees, it’s also important that you have a strong, technically-proficient security team to mitigate incidents and events as they arise. Now the real question: should you hire-in or train-up?
Let’s first look at the pros and cons of hiring-in new talent
- Hiring-in new talent can come with a lot of great perks. You get a fresh eye and perspective in the role, while avoiding an internal sense of entitlement or unnecessary competition between existing employees.
- Another advantage to hiring-in new talent is that they likely have more experience in such a role. As Sinclair Schuller of Apprenda has said, “…for higher-level positions, where a mistake could result in serious consequences, I prefer someone with proven skills and solid experience.”
- They may also be critical in filling skill gaps in your current organization.
- Additionally, (especially for those in the cyber security field) companies in industries where the market and technology is changing rapidly may not be able to train their existing employees. If you do not have the necessary time and resources to train existing employees in such quickly advancing technologies and marketplaces, hiring-in new talent who has the knowledge and experience required to work with these technologies and markets clearly makes the most sense for you.
- The major con about hiring-in is that it poses a risk because you don’t know the person. This could lead to a high turn-over rate (which can get pricey) because of low productivity, mismatched expectations or they just don’t fit in with the company culture. This is especially true if your company relies on heavy networking and communication to get their jobs done. As Professor Peter Cappelli, director of Wharton’s Center for Human Resources, said “They know what to ask each other. They know each other’s strengths,” you’re new-hire may not.
- Hiring-in is typically more expensive. According to Matthew Bidwell of the Wharton Business School investment banks pay 18% to 20% higher salaries for external hires over internal hires. Outside recruiter fees can be as high as 15 to 20% of the salary for which the candidate is being hired.
Now let’s look at the pros and cons of training-up existing talent
- The most obvious advantage to training your employees up is that you know them. You should have a pretty good idea of their strengths, weaknesses and potential. As Sinclair Schuller said (in the same interview linked above) “…the value of training your own talent is that you can shape and mold the employee for your unique culture and environment.”
- Another perk is that it typically costs less. Without recruitment costs, lower risk of turn over, and likely lower salary expectations internal promotions usually require less training than hire-ins and overall cost less to promote.
- Additionally, specifically to cyber security, with the continual advancements by hackers and cyber attackers, whether you hire-in or train-up your employees will require continual training to keep up with industry methodology, tools and trends, so if you possess motivated, intelligent talent with minimal understanding, it may be well worth training them to meet the standards of the industry today.
- As far as training IT in cybersecurity skill sets, they should already have a deep understanding of your network and environments, giving them a competitive edge against those who may know cyber security methodologies, but lack experience with your specific environment, systems and tools.
- As the National Cybersecurity Institute puts it, “Not enough people are already skilled in cybersecurity, so companies need to invest in training.”
- The main cons of training-up are lack of knowledge and experience. This is especially true for cyber security experts. Many coming out of college, or without professional experience do not understand how to mitigate risks in a real world setting.
- Another con is shaking up the company culture. You may see more potential in a junior employee. How will you mitigate promoting them over a more seasoned, senior employee? This is a concern to consider, however refined leadership skills can defuse potential issues.
While there are benefits to both hiring-in new talent, and training-up existing employees, the cybersecurity field comes with its own nuances. In an article about the cybersecurity skills-gap by TechTarget, former CIA employee, James Gosler, estimates that in 2012, no more than 1,000 people had the necessary skills to tackle tough cybersecurity tasks. According to (ISC)2, more than 300,000 trained cybersecurity professionals are in need. Additionally, many sources have been citing one-million open cybersecurity jobs every year. And, as acting assistant director of the FBI’s Cyber Division, James Trainor, said: the cybersecurity industry needs to double or triple its workforce in order to keep up with hacking threats.
For all the above reasons, when looking to boost your cyber security workforce, I would prescribe a hybrid strategy. Hire-in one or two experts who are willing to help guide your internal promotions through their training. You’ll get the benefits of fresh perspective and expertise, while empowering your employees and leveraging the talent you already know you have.
Get your IT team the basic cyber security skills they need to keep your business safe. CompTIA’s Security+ certification training will help your employees get the base-skills they need to start a deeper understanding of cyber security tactics, tools and methodologies.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.