We are at BLACKHATUSA2022, come see us at #IC75,check out our BlackHAT training sessions
Careers

Hiring vs. Training: What's Better for Your Organization?

February 21, 2022

So your company just signed up a major new client to develop their business applications. It's a huge project, and your whole team's going to be involved, and it's really exciting. There's just one problem. They want their apps to run on Kubernetes.

Your product engineers are familiar enough with containers and Kubernetes to get it done. But what about application security? Nobody on your team is willing to risk building an entire app in Kubernetes without being confident that they can properly secure it. This can be a deal-breaker, and that contract is on the line.

Which means you have two options. Hire a Kubernetes security expert for your team, or give all your engineers the training they need to get the job done.

Hiring vs. Training: Which is Better?

It seems like an obvious answer at first. Hiring just one or two application security experts, as against training an entire team of developers and engineers, seems way simpler, less time-consuming, and cheaper. Makes sense, right?

But according to several studies and surveys in the last ten years, it's actually the very opposite. So how does that work?

How is training your entire team of engineers more cost-effective than hiring just one new person?

To understand why training is actually more cost-effective, we need to understand where our money goes in recruitment. When it comes to hiring even one new person, there are a whole lot more hidden costs beyond just their salary to consider.

We've created a detailed infographic to explain this. You can check it out here.

The Hidden Costs of Hiring

  1. The recruitment process
    If you go through a recruitment firm, they charge you as much as 15-25% of the candidate's first year salary. Even if you do decide to recruit someone independently, you need to factor in the time you take to prepare an advertisement, review multiple resumes, contact the candidates, and interview them. In fact, hiring even a single candidate can take up to 65 hours.

  2. Background checks
    Every candidate will need to get a background check before being hired. While firms that conduct these checks do it for relatively cheap (around $100 per candidate), but depending on how thoroughly you do it and how many candidates you screen, that cost adds up fast.

  3. Onboarding
    Onboarding a new hire is a huge time investment that often requires the involvement of multiple employees. A proper onboarding can take up to 26 weeks as they get familiar with your company's systems, culture, and practices.

  4. Productivity cost
    According to a study by Urbanbound, it can take as much as 8-12 months for a new employee to reach their full productivity potential. This is one of the biggest hidden costs of hiring someone, especially since it's so pronounced, yet hard to quantify.

When you add all this up, the real-world cost of hiring even a single well-qualified application security professional can be as high as $67,500 - $135,000!

In fact, the cost of hiring a professional goes up dramatically the more skilled they are. Hiring an AppSec expert can be twice as expensive as hiring a skilled security engineer.

But is Training Actually Better For You?

We get it. There's lots of reasons you might not want to train your employees. What if they take all that knowledge and experience and wave your company goodbye, only to go to your competitor who's promising them a better salary? That would be your money, time, and effort that went down the drain.

But yet again, the data seems to defy all expectations.

For starters, employee retention is 42% higher when they receive the training they need, and a company that invests $1,500 on training per team member sees an average of 24% more profit than companies that invest less.

But why does training provide those benefits?

Well, here's the thing: your team members actually notice when you take the trouble to put them through a good application security training program. You are helping them be more capable of doing better work. An employee who's able to work at their maximum potential is far happier than someone who's never given the chance to reach their peak performance.

They feel more valued, and as a result, feel more empowered and invested in the work they do, leading to better performance, better morale, and a more technologically fluent workforce. Because when you train everyone equally, they all get the same boost in skills.

Hiring a single application security professional, whatever their experience level, can't match up with a whole team of well-trained, skilled individuals.

Training makes rapid collaboration possible

Let's think back to the scenario I mentioned at the beginning. If you decided to train your product engineering team, you've given them two key things:

  • The knowledge they need to build and secure an application in Kubernetes.
  • A team-wide fluency in application security, making collaboration extremely efficient.

That second point is especially important. More than just allowing them to do their job well, a level of technical proficiency across your whole workforce means that every team member is pulling their weight. You effectively eliminate bottlenecks and dependencies that would exist if your team was unfamiliar with Kubernetes.

That's what makes a frictionless, easy work environment. Not just a group of skilled professionals who are great at what they do, but a team of qualified individuals that can accomplish far more when they work together.
Want to download the full infographic? Get it here.

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.