“If I buy your product, I don’t want to pay more to learn how to use your product,” said Mark Eggleston, who is CISO, chief privacy officer and vice president at Health Partners Plans. This was an excerpt that came from a CISO podcast series with several respected security and technology industry leaders, like David Spark.
I saw this post from Spark last week on LinkedIn, and I was immediately intrigued:
“Really?” I thought. “Are you sure about that?”
A Conversation With Mark Eggleston
So what happened next? Here’s the back and forth I had with Mark, a slightly heated but respectful conversation:
Dan Lohrmann (DL): Provocative statement! You got my attention. I can certainly agree with you on some industry products, such as Security Mentor’s security awareness training. We follow that model you suggest to use our platform.
But … as a longtime CIO, CISO, CTO and CSO in Michigan government, what you describe was never the model there. We paid millions of dollars for training during my years in state government, for training from Microsoft (OS, system admin, security, email, etc.), Oracle (big training money on everything they sell), IBM, Apple, Cisco and many, many more. To keep our tech staff top notch, it was: Get out your checkbook.
Bottom line, sounds good, but not the way business is done now. One more thing: Of course they will all “throw in free training,” if you buy an enterprise agreement for tens of millions of dollars for tens of thousands of enterprise seats. But that’s not the deal that small and medium-size businesses get today if you want to be truly “certified.”
Mark Eggleston (ME): Got it. “So it was always done this way?” MS literally has tons of free training, as do many of the numerous VARs out there. The free detailed pro tips which are googlable are also very good. As others have noted, I think this is a callout to think different about customers as being more than a revenue stream … enable their success so they scream out vendor successes to their peers. Make products so intuitive that classroom training is optional. Make the GUI [graphical user interface] drop-dead minimalist and intuitive. Several of my vendors do this today. I sincerely appreciate you as an expert colleague/peer and your experience.
DL: Thanks, Mark. I have tremendous respect for you as well. We (somewhat) agree on the goal to get more solutions to that “free training” point to use their products. ð Still, training is a big piece of the revenue stream for many tech and security companies. Free is nice, but quality training on hard topics delivered by the best and brightest takes time and attention from high-paid experts who are really good at what they do.
Also, some free training is a waste of time — which is not really free to companies. (Remember, salaries are the biggest cost.) Bottom line: Someone will pay for your quality training. Either the company builds it into overhead and you pay for it in the product or service price, or it is clear and spelled-out in the invoice as a line item.
ME: Thanks, Dan, it is a very mutual feeling — back at ya! So, to go on record, I’m in the camp of thought that says build it into overhead, not a separate line item. That way, the vendor would be compelled to manage the training as part of the overall product costs. In return, there’d be no internal training department fiefdom and executive management would be further compelled to “keep it simple.”
DL: Understood, Mark. I respect your perspective. Thanks. I want to think some more about this, listen to the David Sparks podcast and perhaps even do a blog on the pros/cons of this funding/paying for training approach. One last question for you: What are your views on training that helps security teams move up to an “advanced level” or integrates various products and services into the (always promised and never delivered) “one pane of glass.”
For example, SOC analyst training offered for FireEye or Splunk? Or, moving from an analyst to a specialist level in some area of forensics (you pick the tool). Or, becoming a “Microsoft 365 Certified: Enterprise Administrator Expert.” Would the vendors need to offer that for free, or would that be beyond the scope of the product/service?
ME: As a Qualys certified practitioner, I appreciated the in-person training and testing to get me certified was provided near me, and they provided lunch at no cost to me! Really felt like this vendor was in it with me, for the long haul. So, I don’t think Qualys needed to do all that for free, but wow was I impressed with the training and partnership. Kept me a customer for many years. I’m generally less inclined to pursue such vendor-centric certs and prefer agnostic versions, personally (hello, MCSE anyone?).
However, for personal certifications, maybe that is the happy medium point: free training up until you get certified, costs should still be modest to cover expenses, and from the vendor perspective, I wouldn’t continue to do these certification programs unless there is some ROI/inherent value.
How Far Can ‘Free’ Go?
I certainly share the goal Mark articulated of making products easy (and much easier) to use. I also agree that building in self-help training with videos and more makes sense, and more training could be free. As this article points out: “Vendors have multiple incentives for providing customer training. For one, well-trained customers are likely to demand fewer resources from vendors for customer support.
Additionally, customers that are well-trained on the benefits and best uses of a product or service are likely to have a higher opinion of the offering and be repeat customers because they experience more of the value. But at the end of the day, the primary interest of a vendor is to retain customers, not to help your company or department operate as effectively as possible.”
Going further, as this website loudly proclaims, “Product training is part of the product because it is part of the user experience — and you can’t separate the two.”
And as Mark pointed out, there is plenty of free training from numerous top vendors — the likes of Microsoft to Google to major universities — on how to configure and manage various products and the skills required.
Not So Fast — Someone Pays
Nevertheless, as I said in my conversation with Mark, someone will always pay. If all training costs are built into technology and security products, those training costs will become overhead that is not clearly itemized, even if the free training is never used by the customer. Should the laws of “supply and demand” be used here to have the price set by those actually benefiting by the training? What will the market allow and what are customers willing to pay?
Also, there is the question of quality training being offered by the best and brightest. While very good training is often available virtually or on-demand — especially during COVID-19 and working from home — some top training requires labs and special equipment.
Many courses that I have taken in my career on products ranging from Cisco to Microsoft to Oracle were multiday or even week-long courses that cost thousands of dollars to attend with hands-on labs, not to mention travel costs and other expenses. Still, I am glad I did attend those classes with top-notch instructors who really knew the material and had hands-on, real-world experience.
If all of those courses were “required” to be free, would the same quality instructors be offered? Would the class be offered at all? In some cases, the answer would be no.
Another question revolves around how far the training should go. Should free training get you to a competency level or a level of world-class excellence? No doubt, world-class excellence is much more expensive than teaching the basics, but many technical and security disciplines take years (and many courses) to master.
Finally, I want to mention that free training still takes staff time of staff — and time is precious. There is truly “no free lunch.”
Final Thoughts
This blog uses a format that I have never tried before. One benefit is that any LinkedIn user can join the conversation embedded above. Please leave a comment explaining your opinions regarding free technology and security training. Should all training be free from vendors once you buy the product? How many people should the vendor train? What about offering free certifications toward becoming an expert?
I’d love to hear your views.
Never miss a story with the daily Govtech Today Newsletter.
