March 27

A Multipart Letter to Employers of Security Professionals


by Andrew Hay

My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. What I’d like to impress upon you is the need for organizations to support the continuous learning of their employed security staff. The field of security is a constantly evolving entity and, to that end, requires its practitioners to be able to adapt. Most practitioners take the time to increase their knowledge by reading blogs, books, and papers in their spare time and by joining local security organizations. Some, depending on their geographic location, even pay out of their own pocket to attend local or domestic security conferences.

If your employees are taking the time to enhance their knowledge – knowledge that will inevitably be used to help protect the organization – shouldn’t the organization match that contribution?

That is the point of this, and future, articles. I would like to help you understand how you can contribute to the protection of your organization by assisting with the professional development of your security staff.

The first way to assist your employees is to allow them to attend industry conferences. Conferences are the best way for security practitioners to meet their peers, share war stories, and learn from the best minds in the industry. Many organizations are hesitant to send their staff to conferences due to the cost but the average entrance cost of a big ticket conference is roughly $1,500USD, excluding flights, hotels, and meals. You’ll note how I mentioned the extra costs – flights, hotels, and meals – as a separate line item. Often, the cost of the conference isn’t the pain point, it’s the associated costs incurred by those attending.

Attending a security conference does not need to be expensive, however. Several organizations, such as ISSA, ISACA, OWASP, and many others, offer local low cost one- or multiple-day conferences that cater to practitioners in a particular geographic area. The conference content is excellent, the employee has the opportunity to network with peers, and the employer need not worry about huge travel-related expenses.

Ideally, the business should budget for one major conference, which may or may not be local, and one or two local conferences per budget year. This nominal investment not only helps bring cutting edge knowledge back into the organization, it also boosts the employees’ view of the organization that they work for.

In subsequent articles in this series, I will strive to help you understand the other avenues for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the weapons to effectively manage the overall security of your business. Until next time.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Nice post Andrew. This is something I always bring up during job interviews, “What can you tell me about the training budget?” I try and have a conversation about how important I believe training is, etc.

    When I was in a position where I was responsible for managing the budget, I set aside $4500 per employee for training and travel. It’s not cheap, but I believe the ROI is high in terms of more effective and happier employees.

    If it’s difficult to get away for training, there are more and more online offerings everyday. I have taken several courses online that were four hours a week for 10 weeks. The same training is offered at conferences in a week long format. Doing it online was cheaper, allowed me to stay at work (whether that’s a benefit or not, depends on the person) and gave me a week to digest the material in between each session.

    Due to the current economic climate, my employer recently put a freeze on all training budgets. But there are creative things that can be done. For example, I’d been wanting to go to Shmoocon for the last few years. This year, I had the money and the vacation time, so I went. While I was there, I took good notes and when I returned to work, I wrote up a two page summary of what I’d seen and learned and sent it to my boss asking if I could share it with the whole team. She was pleased and told me to change the vacation days on my time sheet to work days. It didn’t cover my expenses, but having the vacation time back was a huge win.

  2. Andrew,

    “Attending a security conference does not need to be expensive, however. Several organizations, such as ISSA, ISACA, OWASP, and many others, offer local low cost one- or multiple-day conferences that cater to practitioners in a particular geographic area.”

    Let me second that comment, you are right on! As a matter of fact providing a low/free cost educational opportunity was one of the reasons why I founded a local security group called the Northeast Ohio Information Security Forum ( Networking and sharing with peers was the other reason. The meetings are free to attend and include relevant topics from knowledgeable local and regional speakers. We have some great discussions amongst members as well. All without anyone selling a product. We usually get around 40 people attending and have over 400 in our mailing list database.

    I want to mention that our local InfraGard chapter ( offers free and low cost training as well. We hold quarterly meetings and an annual 2-day security conference called the Information Security Summit ( The Summit, which features over 30 sessions as well 1/2 and full day training, is very affordable at $250.

    Northeast Ohio professionals have some great low cost & free offerings to choose from.

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!