Who should pay for IT security training? The employer, or the employee? Both!?

Who should pay for IT security training? The employer, or the employee? Both!?

Henry Dalziel | Certified Ethical Hacker, CISSP, CompTIA, CPTE, EC Council | March 8, 2013

The reason we ask is because many of our students come to us from various backgrounds but the reoccurring theme is – perhaps understandably – who is going to pay for the course! There is a slight lean towards our students being self-funded but many are also company sponsored. The question is, if an employee is working for an organization that will benefit from his or her training – should that employee pay?

Our research into this led us to an article by Slashdot regarding this subject and the post raised a valid point; that is, “If the training meets a specific need and [helps] to grow the business then the company [should] pay for the training and on company time.” That really nails the discussion – the truth is that if the company does benefit then surely the employer foots the bill. Training is an investment with a specific and in many cases, measurable return of investment.

We specialize in Information Security training and short skills-based courses like nmap scanning (which we just organized recently) and to us, the idea that an employee should be burdened with training costs whilst also protecting the company they work for from the (often enormous) costs involved with security breaches and intrusions is not fair.

There are many options however – that’s the good news. If the employer truly does not have the budget to invest in their employees and IT staff then perhaps they could offer to pay for the exam voucher, split the fees, or invest in the study materials – or – at the very least, allow for study-time outside the office.

Incorporating training into an employee’s contract
Having worked in Europe for the UK’s largest marketing school, the author can tell you first hand that it is common for European employers to tie education and training into an employees contract. It’s a simple process, the employer pays the full course for training (relevant to the organization) and in return the employee commits their allegiance to the company by agreeing to stick with the company for a fixed period of time.

In some instances IT training is not useful or deemed worthwhile ROI but with information security training it’s the law! Directive 8570 which many readers will be aware of, especially those in the security industry, is a policy from the US Department of Defence‚Äôs Information Assurance Workforce Improvement Program that stipulates that every DoD employee and any contractor working with the DoD have training and certifications in information security. Security+, CISSP and Certified Ethical Hackerr (amongst other certifications) are all accredited by Directive 8570.

Last word
What are your thoughts? Who should pay for IT Training? Should the costs be split or should the training fees be repaid over time? Who benefits more, the employer or the employee? Let us know your thoughts, we’d like to hear from you especially if you experienced any of the above.

Leave a comment or reply below...thanks!