I recently was watching a video about George St. Pierre. https://www.youtube.com/watch?v=CpfGk8ms3aY He was an active UFC fighter back around 2007. He held the UFC middleweight championship belt for several years during that time. In the video he talked about how he spent his first million. At the beginning it was very economical, like paying off debts, buying cars for his parents, helping pay for his sister’s college degree, etc., until we got to the self improvement/travel section.
This is where I was shocked: St. Pierre spent almost a quarter million dollars was spent on traveling the world and getting training under different disciplines. A couple quotes that stuck with me during this video were: “To grow as a fighter I needed to learn expertise from others,” and “It’s hard to become champion, but it’s even harder to stay champion because you become a target.” This really resonated with me how even in the security field you can’t stay stagnant and need that continuous improvement. Above in the featured image is a screenshot of the breakdown of St. Pierre’s first million.
After seeing this it triggered me to start adding up all that I had invested in myself over these last several years. Conservatively I would say I’ve invested more than 10k of my own money in security training. From the reader’s perspective it might seem like a lot or not much, but either way this was money from my pocket and not from the company I was working for.
There’s been so much training I’ve done over the years it’s hard to mention it all. I included local conferences, certifications like eCTHP and eCPPT, training sites like Hack the Box, Tryhackme and pentesterlabs. This included hardware such as 2U server for virtual machines, wifi pineapple, and raspberry PI to practice on, all the books I’ve acquired and even just training courses like Chris Sanders’ “Practical Threat Hunting” and “Investigation Theory”. It really adds up over time.
Now out of all the 10k I spent on myself, I have to say only one company has paid for training that I wanted and that was for my CISSP exam and course material. Just think of all the training I would have gotten if I just relied on my company to pay for it: I would have only my CISSP. I can’t say this one certification would truly prepare me for the diverse field of security. I’ve seen others ask for a subscription to pentesterlabs only to be denied and never look at the service again. This person didn’t improve or learn anything from that experience nor is this person more capable of being a better SOC analyst. I guess I’ve never expected a company to pay for my training to get better. It’s a nice gesture, but my goal is to get better. If I don’t think I’m worth investing in myself, how can I expect a company to do so? I have a saying “I would never ask a company to pay for anything that I wasn’t willing to pay for myself”. I won’t let a “no” from a company stop me from getting the training that I believe I need.
Going back to George St. Pierre. Would somebody just give him money to get a gym membership before his first ever fight? Would he get access to even top trainers because he wanted to get into Mixed Martial Arts? No of course not, if he wanted to be a better fighter he had to pay for whatever he needed to get better in hopes that it would help him win a fight and make that money back. Why do some feel that it should be different for the security field? Why does a company need to give handouts for the person to improve? Even after George became champ I’m sure certain things might have been cheaper or free, but training with the world’s best trainers would still cost money and that money wasn’t coming from UFC to make him better.
Also, I want to mention not everybody has a hundred dollars here or a thousand dollars there, but there’s a lot of good training out there now for free. You might not get a nice badge saying you know about a topic, but you’ll be able to talk about it in an interview or identify an issue in a real environment.. If you do have a little bit of money, you can pay for a service like TryHackMe for a month and that’s it. There’s no need to get a several years’ subscription to the service.
Looking back I don’t regret spending any of that money. There’s some training I would say was better than others, but I don’t regret any of it. I’ve learned so much because I was always willing to invest in myself. I’ve learned a lot on the job, but I can say I’ve learned a lot outside of work too. There might be questions if you should, but I believe this is one instance it’s good to be a little selfish and invest in yourself, if not with money then with time.
Editor: Emily Domedion