Professional development

Who Should Pay for IT Security Training? The Employer vs. Employee Debate

Graeme Messina
July 9, 2018 by
Graeme Messina

Keeping abreast of the latest certifications in information technology is not easy, and there always seems to be updated revisions and new concepts to learn. This leaves many IT professionals on a continual certification track, endlessly studying for examinations and planning ahead for the next training course. All of this comes at a price, though, and often leaves employees wondering if they alone should have to shoulder the costs for such essential studies. Should the employer be making a contribution to IT security training, or is it the employee’s burden to carry alone?

The Current State of Training Requirements in IT Security

We know that the landscape in IT security is constantly changing, and as threats evolve, so too do the countermeasures that are needed to repel cyberattacks. These training resources require a fair bit of financial investment, time and energy from individuals. IT professionals are often called on to keep ahead of the technological trends and obtain the latest certifications.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Training also plays a large role in the fight against security issues in IT. Smaller courses can also be taken by employees to fill in gaps in their knowledge, adding more value to the organization while broadening their own knowledge base.

The job requirements are therefore quite steep when employee training is concerned, and if a company is to remain secure and competitive, they will have to keep up-to-date with as many courses and certifications as they can. But what about instances where an employee finds a job in IT on their current certifications, but the role then requires additional training later on? Will the employee be responsible for spending time and money on a certification for a job that they already have, or does the employer bear some of the responsibilities?

The Employer’s Perspective

There are not many modern businesses with a reliance on technology that would argue against employee development in IT security training. This is because employers understand that the operating environment that we are currently in requires dynamic changes and constant retraining and learning, especially where valuable IT resources are concerned. This means that in order for businesses to grow, they need to ensure that their employees grow with them, both in terms of experience and training.

Where employees and employers differ sometimes is in the burden of payment; who really gets the most benefit out of such training? This is where it gets tricky, and some exceptions need to be noted. If an employee embarks on a training course that has both a direct benefit to the company and to the individual, then the employee should think about making some sort of contribution towards the course, even a non-monetary one.

If, however, the IT security training that the user receives is proprietary and specific to one particular vendor, then the employee should be able to assess how useful such training would be for them outside of the organization, and how valuable such training would be outside of their current company. Perhaps the training is for all staff, not just those in IT, and is a general awareness training program that teaches the basics; in which case, the employees could argue that the subject matter is beyond the scope of their current job descriptions, and they should therefore not have to pay for it.

More employers are finding that an even-handed approach to treating their staff well and retaining the necessary talent means that they should make decent training opportunities available to them as a means of skills development. This benefits the company in that it has the positive effect of creating more-loyal employees, while solidifying the company’s position by adding more skilled individuals to their talent pool.

However, there are some risks that the employer takes whenever free certification and training is made available to employees — the biggest of which is the risk that the now up-skilled employees seek alternative employment soon after learning a new and valuable skill. This is not always the case, but the risk is real for the employer.

The Employee’s Perspective

For employees, it is not always easy or affordable to continuously undertake training and certification. Therefore, the natural expectation is that their current employer would be able to assist by either partially or fully contributing towards the training, especially if the company deems the training to be a requirement.

In some cases, an employee might identify a skills gap in the organization and volunteer to take on a particular role and go on to undertake such training. In these instances, it is not always possible to predict the outcome of such an arrangement, as the company might not see the need as being as great as what the employee has. It is important in these cases for the employee to work out the expected costs versus the return on investment (ROI), which will help illustrate to management that the employee has not only identified an area in IT security training that could do with some work, but also that the potential business benefits can be quantified as an approximate value.

However, there may be instances where the company identifies an area in the company that could do with added skills, and an employee might be selected that does not necessarily want to undertake the training. While nobody can be forced to upskill, an employee in such a situation might argue that the training that they are to receive is not of their choosing, and as such will not pay towards any costs.

Bridging the Divide

The best approach is usually a mixture between the employer and the employee’s perspectives. Finding the best training and certification for the business and department that maximises business value and employee benefit will usually please everyone. IT security training is vital for an business that has a large IT infrastructure investment footprint, and now more than ever, it is important to have all of the safeguards in place that will keep both the enterprise’s data and their customers’ and partners’ information safe.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Find the Right Training Partner

When it comes to world-class IT security training, InfoSec Institute offers some of the most comprehensive options available today. They have boot camps and training courses for all skill levels, from beginners to veteran security experts. If training and certification is what you are after, then be sure to check out the wide range of courses available here. Thank you for taking a look at this interesting debate, and hopefully you have a better understanding of both perspectives of this important topic.

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.