No announcement yet.

Training Budgets

  • Filter
  • Time
  • Show
Clear All
new posts

  • Training Budgets

    Knowing this has the potential to be all "YMMV" responses, I am interested in discussing what other orgs use as a baseline for training, specifically for more technical roles. I have been pushing to get my team to a con (WWHF/DEFCON/etc.) of fairly low cost (plus travel), a few local cons, and then one major training (e.g. SANS, PWK+lab, etc.).
    Twitter: 0xSeanG

  • #2
    As a startup, my org doesn't have a formal training program. They haven't been unsupportive, per se, but the lack of a formal process/program adds friction. I've been paying for a lot of my own training myself simply because I don't want to go through the trouble of trying to convince my leadership that its worth it and get it approved.

    Edit: for folks that work in companies with more formal training programs and with actual training budgets, what do those programs look like?

    Twitter: @AccidentalCISO


    • #3
      We have a formal training budget - it is a dollar figure per person. Each team's leadership can then spend those dollars as they see fit. Usually every year we collect training requests from the team and then review and prioritize those training requests until the entire dollar amount is spent. Some team members get more training/funds than others, but, we try to balance it from year to year.

      Regarding 0xSeanG's original post -- our per person budget wouldn't support the cost associated with your proposed "1 con + 1 SANS" approach... although it would be wonderful if it did. We usually can't send everyone to SANS courses on account of SANS being quite expensive. Generally about half of our team does something on par with a SANS class every year and the other half does something that's more in the "low cost conference" type event.
      Last edited by Forge; January 7th, 2020, 09:58 PM.


      • doymturner
        doymturner commented
        Editing a comment
        This seems to be pretty common in my experience with several companies. I have been fortunate enough to be with 2 companies that had real buy-in from management on training people. It makes a world of difference both on what is available and on how comfortable folks were inquiring about interesting options.

    • #4
      I was the first outside hire for my $dayjob's Infosec team. Up until that point, no one had asked about a training budget, so I got to monopolize it. Now that we have a full team all of whom want to take advantage of the budget, I've been fighting to get it increased, but C suite leadership doesn't understand the need for it. We can do conferences, as conferences are usually cheap, but classes break the back. Between four of us, there's only enough money for one formal class a year. I've had to look into leveraging the corporate continuing education plan to take any more sans classes by enrolling in their Masters.

      What I need is to put something together to show the value of continuing education, and to show that education, in this field, on the technical side, usually isn't about credentialed classes. That may be the hard sell.


      • #5
        Originally posted by accidentalciso View Post

        Edit: for folks that work in companies with more formal training programs and with actual training budgets, what do those programs look like?
        Very large company here. Our training programs are a few different things.
        • We have a pretty robust internal training program with online resources (similar to Coursera or Udemy) that is open to all. This is where we send most people to start when they ask for training.
        • We have normal old tuition reimbursement for degree granting things (up to $5k/year). Has to be job related and requires managers approval.
        • Managers can approve local training/classes/cons at their discretion as long as it's not many thousands of dollars a year.
        • Certifications are the same; at manager's discretion they can reimburse employees.
        • Anything involving travel or expensive multi-day classes (think SANS) involves prior approval through a formal process to get $$$. These are easier if we plan ahead and include it in a budget request for the coming year (but not impossible if they are last minute either).
        • Any of the big security cons require a formal approval process to attend above and beyond the travel budget because we show up in force and they want to know centrally who is attending from our org.
        • Lastly, we have a Fellowship program with a university for a Master's in Cybersecurity that allows employees who get approval to get a full MS for free. The tuition reimbursement covers it and the university discounts the program from it's normal cost by about 85%.
        I'm lucky to be somewhere that provides lots of options (with the normal large company process headaches) and that really values continual learning and job reeducation.
        Last edited by joshlane; January 9th, 2020, 09:14 PM.


        • #6
          Wow joshlane ! That is great.
          Twitter: 0xSeanG


          • #7
            We do not have a set budget number for any individual, but we do put it in our annual budget for a training cost on the department as a hold. That is not a hard line. My boss has been very good at approving pretty much anything. SANS included. There have been years where I've done Black Hat, DEF CON, and SANS all in one year. So I've done over $10k individually.

            The one thing he has cut a bit back on lately is conferences. He is starting the true ROI on conferences and I think strongly devalues the networking benefits and just general atmosphere of what cons bring in regards to discussions. Yes, most cons post their videos online. But we have so random conversations at cons and I learn a ton from that. Plus, I now have a large group of people I know I can go ask questions to and we've become friends so they'll tell me their opinion/answer. Compared to me being no one and then going to ask the question. They probably share more information too, which is a big benefit.

            Certifications are reimbursed. If we want any books or anything, it is covered. However, I like purchasing my own books because I find benefit in being able to keep it.

            I really wish we had tuition reimbursement. It's something I've asked for a few times over the years.
            Frank McGovern
            Founder - TheIKE, Blue Team Con