This post is about controlling training costs from vendors to get into the #DFIR field and creating your own system to continue training after you get into the field without flattening your bank account. I’ll post my experience and opinion on the college system in another post.
My start in forensics started in government work where ALL TRAINING IS FREE. I say free, but I completely understand that the training was never free since taxes paid by the public were used to pay the vendors. As far as the months of government training (FLETC, etc…), I cannot imagine the cost incurred that were paid out of taxes. Nevertheless, my out-of-pocket expenses were zero. I consider myself fortunate to start in the DFIR field with practically zero out-of-pocket costs.
In my post government career, I have seen the how the cost of DFIR training directly affects a company, a small business owner, and the individual attendee. Every dollar counts when it comes out of your pocket (or if you are the owner of a company, out of the company’s pocket). Adding up just the costs of vendor and government provided training courses I attended while a government employee easily exceeded $100,000. I miss the days where the only decision I had to make to go to a DFIR training course was based only on “if” I wanted to go…practically anywhere in the country.
At this point in my career, I evaluate training on several levels:
- #1 Factor Topic
- If I can teach the topic, I’m not going
- If I don't foresee a use for knowing that topic, I'm not going
- If it is something I don't know, but better know, I'm going
- #2 Factor Provider
- Known quantity (by the vendor name OR instructor name)
- Certification (ranks lowest on my scale of importance)
- #3 Factor Cost (Tuition AND Expenses)
- Expensive is generally off my list, unless it’s a necessary course provided nowhere else
- Cheap is ok, but not if I already know the material
- How much revenue will be lost if I go (for business owners and billable workers)?
- How much vacation will I have to burn (if company time off not provided)?
- #4 Factor Location
- Out of country is out of the question
- Out of state depends on Factors 1-3
- Live online depends on the time offered
- On Demand's flexibility works well
Before I take any training, I factor everything in a spreadsheet. I use a super simple spreadsheet that you can download. The way I use the spreadsheet is described at the end of this post if you have interest in having some sort of rationalization for spending money on training. By putting down on paper, the actual dollar amount per hour I pay, I can more easily see if I am wasting money or getting a good bargain in training. This allows me to take more training overall.
Basically, if the numbers ($$$) don’t work out, I don’t go.
For software being provided, this score is important only if the software is something I would have purchased anyway, such as renewing a license or getting a new license of the software. If the software is something I don’t need or would not have purchased otherwise, the course is probably not relevant to me either.
The length of the course is important. I don't want to go to a 3-month long course again for the rest of my life, but I also don’t want to spend a few minutes here and there with different vendors and different topics to add up to substantial training. What I mean is, there are plenty of YouTube videos that range between 15 minutes of instruction to maybe an hour or two. Nothing against YouTube videos, but when I watch a DFIR YouTube video, I do it mostly for entertainment purposes, like watching a SANS or Blackhat presentation. Usually some good info, but many times too much goofing off or high level lecturing than anything else. Plus, when it’s just a video online, without tracking of attendance, completion, or otherwise proof of watching it, what is the point?
Some of the on-demand courses I have personally paid to take have ranged from terrible to really good. The terrible on demand courses were those that I could not understand because of a language barrier where the instructor’s language was other than native English. The information may have been superb, but my frustration in trying to decipher what was being said at the same watching the demonstrations on a computer meant losing out on the information.
Other on-demand courses that cost over $200 provide ONLY ONE HOUR OR LESS OF MATERIAL. I strongly recommend to never take those courses unless it is something you don’t mind spending $200+ an hour to watch. I figure that a course needs at least 4 hours for me to consider because many times, I find that I knew half of the material beforehand. A one or two hour course risks handing over money for nothing in return.
Sometimes, you have to bite the bullet for an expensive course. If you want to be Encase trained and certified, either you pay or your employer pays, but someone is paying Guidance Software. No one else other than Guidance and licensed vendors will provide Encase training. Same with many other software tools. Part of their revenue generation is from training, so expect to write big checks if you go that route.
Conferences can be a real winner or real loser when it comes to tuition, solely based on if the conference charges just enough to cover expenses or charges a heck of a lot to cover the pool parties, drinks, food, marketing costs, and maximize corporate profits.
For the new folks, conferences can be overwhelming because the topics range from one end of the DFIR spectrum to the other, but in short breakout sessions. Don’t expect to master a skill based on a 2 hour lecture. Expect to be overwhelmed with what you experience. For the more experienced DFIR folks, conferences are great because sometimes all you need is a 2 or 3 hour presentation on different topics you want to learn more about.
In short (or long), you can control the amount of money and time you spend on training. Go ahead and use my spreadsheet and customize it to your needs. Unprotect it to change it (right click on the worksheet tab > unprotect). Or use it as is. I can assure that once you start putting in the numbers, you will have a clearer picture of how much money you are actually paying, per hour, which will change the way you randomly pick training courses to attend.
Generally, I have a range of how much I will spend per hour for any training course. The only exceptions are when I need/want a specific certification that I cannot get anywhere else. And for those certs, I usually don’t get any more anyway.
The way the spreadsheet works is simply entering:
- Rating of importance to you (topic, vendor, etc…)
- Number of hours*
- Cost (tuition, expenses, loss of potential revenue/billable hours)
*The number of hours is misleading because of breaks/lunches. So, the spreadsheet takes into account 10 minute breaks for each hour and a 1-hour lunch break as AVERAGE. I’ve seen breaks go beyond 20 minutes and as short as 5 minutes. I’ve seen lunches be served in the room for 30 minutes and had an hour and a half in other courses for lunches. Add up the time and you’ll see that a 40 hour course has 5-8 hours in breaks. This means you don’t get 40 hours of training in a 40 hour course.
The calculations will give you:
- Score of importance to you balanced by important factors (0-5)
- Cost per hour
You can then quickly compare an on-demand/online course to its classroom version as well as seeing exactly how much money per hour you will spend on any training. For me, I want to know the value of what I am spending as it relates to what I am getting.
This method also helps me avoid the beer fests that are accompanied by some lectures in the morning, where I would spend thousands on tuition, thousands on expenses, and loss of thousands in potential revenue, just so I could walk among zombies in the day time. I still do this, but not as much as before. Maybe I’m getting old or maybe it’s because I now know how much I am spending per hour….
Download the spreadsheet here: Evaluating Training.xlsx