• United States




Train your employees — before someone else does

Dec 18, 20175 mins
BudgetingEmail ClientsHacking

Slashing overhead often means cutting training budgets, but unintended side effects often include employee attrition, poor performance, or even breach of your organization and loss of intellectual property.

hacker person using laptop
Credit: Thinkstock

Having worked for the Federal government, large government contractors, and small companies alike, I’ve seen a disturbing trend. For reasons of competitiveness, slashed budgets, or just “making numbers,” employee training is often one of the first line items on the cost-conscious manager’s chopping block. Worse, many managers don’t believe in training their employees regardless of budget. More times than I can remember, when speaking to other managers and C-level executives, I’ve heard, “I don’t train employees, because what happens if I spend money to train them and they leave?”

When faced with that question, I always reply with, “Well, what happens if you don’t train them and they stay?” (Tip o’the hat to Mark Horstman at Manager Tools for that amazing response with which he armed me so many years ago.) This usually engenders stammers, furrowed eyebrows, and an unspecific look of disapproval—but no viable answer.

Short-sighted managers think a never-ending cycle of attrition and hiring (also known as the “fresh blood” solution) solves the lack of training problem, but odds are that it doesn’t. Employees with intellect, drive, and ambition not only enjoy training, but they also understand that it’s necessary for their personal career growth. Less enthusiastic and engaged employees—those you don’t want on your staff—are often content to maintain the status quo. Therefore, the employees you want to retain will soon leave you for an employer that offers training, and those that you don’t want on your team will remain. In a startlingly short time, you’ll find that you’re managing the least trained, least capable staff amongst your competitors, and that’s not exactly a marketable distinction.

Lack of training is of particular concern in the Information Technology and Information Security departments where the requirements of the job change constantly. Budgetary concerns often force IT and IS to “do more with less” in the face of ever-growing responsibilities and ever-evolving threats, but managers (or C-level executives) who think they can reduce staff and reduce training are fooling themselves. Fewer, less capable employees cannot be expected to defend your company from state-sponsored attacks, lone wolf hackers, or even bored script kiddies. Shortly, a CIO will find themselves in the position of explaining to the Board why their IT specialist failed to set-up the new firewall properly, resulting in the loss of corporate intellectual property. As an industry, one would think we had learned our collective lesson after the Target breach, or the Office of Personnel Management breach, or the Equifax breach, or any one of the myriad breaches that have hit the news, but we make the same mistakes again, and again, and again.

How can you balance the training needs of your employees with the reality of limited budgets? I could give you platitudes about encouraging employee “lunch and learns,” sending one person to a “train the trainer” session, or utilizing free online resources, but those basics should already be in your arsenal. Instead, let me offer some different tactics:

1. Rate managers on their employee training initiatives

Until managers are held responsible for the training and career development of their employees, they will not be incentivized to think twice before cutting training out of their budgets to make their numbers. (Your managers do have budgetary authority over their departments, don’t they? Responsibility without authority is neither.)

By directly linking a manager’s personal success to the growth of their employees, not only will your organization develop a more skilled workforce, but you will also ensure that your managers will take training seriously. Similarly, if an employee’s failure can be traced directly to a lack of training necessary for his or her position, place the culpability on the manager and not the employee. (Note: If you consistently deny your subordinate managers’ requests for training funds, you cannot blame lack of training on your subordinate managers.)

2. Prorate training reimbursements for departing employees (instead of denying training completely)

If you absolutely maintain the view that you won’t pay for employee training because they’ll leave for a better job afterward (which means you have an entirely different set of organizational problems), instead of denying training outright, create a plan in which departing employees have to reimburse the company for the cost of training on a prorated basis for the year following their return. While this is admittedly negative reinforcement, it does ensure that your budget won’t bear the brunt of departing employee training costs.

3. Express training costs to senior management in terms of potential losses to the bottom line

Unfortunately, some senior managers respond only to the numbers on their profit and loss sheets. The comparatively small price of a $3,000.00 training class could prevent costs associated with extensive corporate downtime due to the accidental destruction of an Active Directory server, a data breach due to misconfigured defenses, or even the costs of rehiring for the position once that employee leaves due to stagnation (which are actually a lot more than most managers initially understand). All of these numbers can be quantified based upon the size of your organization, factored by potential risk. This is especially important if you have “saved” money by hiring extremely junior or marginally qualified personnel; those types of employees must have a training budget attached, because they increase the risk profile for everything they touch. Expecting a junior employee to be a full contributor without training is folly.

As managers, our job is to meet corporate objectives and retain talent. Lack of employee training threatens both of these primary managerial duties, and that includes training for the managers themselves.


A managerial and technical professional, John J. Irvine offers an extensive background in the direction and management of cybersecurity concerns. With over twenty years of experience in the Federal Law Enforcement and Intelligence communities, John is an accomplished cyber security executive, computer forensic analyst, digital investigator, software product/project manager, and university professor.

As CTO of CyTech Services, John currently directs the development of CyFIR Enterprise, an enterprise-level software product for endpoint digital forensics, incident response, insider threat, and malcode hunting that is known for locating malicious code during the breach investigation at the Office of Personnel Management on a live product demonstration. John has led multi-site divisions of over forty digital forensic examiners, network intrusion specialists, forensic application developers, digital investigators, and malicious code reverse engineers in support of our nation's most critical Federal organizations and commercial enterprises.

John's managerial skills focus on team cohesion and cooperation, employee retention and development, and effective recruiting. His forensic specialties include cyber profiling and counterterrorism forensics, and he is experienced in incident response, counterintelligence, insider threat, and eDiscovery forensic casework. His software product and project management experience is in the design and development of enterprise systems and business/consumer mobile applications.

Additionally, John is an Adjunct Professor of Digital Forensics Ethics and Law at George Mason University in its Masters of Computer Forensics program.

The opinions expressed in this blog are those of John J. Irvine and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.