How to Justify Cybersecurity Training to Your Manager
Your manager asked what the training budget gets them. You need a better answer than “it reduces risk.” Vague language does not move budgets. Concrete numbers do — and in Canada, the numbers are not on the side of skipping training.
The Number Your Manager Needs to Hear First
The average cost of a data breach in Canada reached CA$6.98 million in 2025, a 10.4% increase from the previous year. Canada now ranks fourth globally in average breach costs, according to IBM’s annual Cost of a Data Breach Report. The figure includes detection costs, legal exposure, regulatory penalties under PIPEDA, and the operational disruption following a breach. Financial sector breaches averaged CA$9.97 million. No organization is immune.
Training is not a sunk cost. It is a loss-prevention investment. When you frame it this way, the conversation changes.
What “Reducing Risk” Means in Dollars
Up to 90% of successful cyberattacks involve human error. This is not a training problem — it is a math problem. If a single breach costs nearly CA$7 million on average, and training measurably reduces the likelihood of a human-error-triggered breach, the return on a few thousand dollars in certification costs becomes straightforward to defend.
Research shows organizations investing in targeted security training see a 70% reduction in security-related incidents. This is not a marginal improvement. It changes the probability curve your manager and CFO care about.
The Canadian Centre for Cyber Security (CCCS) reinforces this directly. Its guidance document ITSAP.10.093, “Offer Tailored Cyber Security Training to Your Employees”, lists employee training as one of the top 10 IT security actions any organization should take. The CCCS does not recommend nice-to-haves. It recommends controls with proven impact.
The Hiring Cost Argument
Your organization has a second number to factor in. Canada has roughly 25,000 unfilled cybersecurity roles. Finding and hiring a certified security professional is expensive, slow, and competitive. A vacant security position costs an employer up to CA$54,000 over 90 days based on a CA$100,000 salary — and this assumes the role gets filled at all.
Upskilling your existing IT staff is faster and cheaper. Eighty-five percent of employers say they prefer developing in-house talent over external hiring. Your manager likely agrees. The question is whether the organization acts on it.
Role-based certifications let your team expand their scope without adding headcount. A network administrator who earns the Certified Cybersecurity Analyst (CCSA) adds real detection and analysis capability to the team. A senior IT manager who completes the Certified Information Systems Security Officer (CISSO) gains the governance and risk management skills needed to lead a security program — without hiring an external CISO at CA$180,000 or more per year.
Compliance Is No Longer Optional
The conversation around training shifted in April 2026. The Canadian Program for Cyber Security Certification (CPCSC) Level 1 is now active, requiring defence supply chain suppliers to complete an annual cyber security self-assessment. Organizations doing business with the Government of Canada or its primes are in scope.
ITSG-33 — Canada’s primary IT security risk management framework for federal departments — has long required security awareness training as a baseline control. If your organization operates in government, healthcare, or critical infrastructure, this requirement is not theoretical.
Training staff to meet these frameworks protects the contract relationship, not solely the network.
How to Structure the Ask
When you go to your manager with a training request, bring three things.
The breach cost baseline: CA$6.98 million average in Canada, and the relevant figure for your sector. The staffing math: what it costs to hire versus what it costs to upskill. The compliance requirement: whether CPCSC, ITSG-33, or CCCS guidance applies to your organization.
Then tie the training directly to a role. Not “security training” in the abstract. Specific certifications tied to specific job functions. A team member moving into a security management role should complete the Certified Information Systems Security Manager (CISSM). A junior analyst should start with the CCSA. The more precise your request, the easier it is to approve.
What You Are Buying
Certifications are not credentials alone. They are evidence of structured, verified skill acquisition. Mile2’s programs align with CCCS guidance, NSA CNSS 4011-4016 standards, and DHS NICCS frameworks. When your organization demonstrates its security staff hold recognized, role-appropriate certifications, this matters to auditors, insurers, and clients.
Your manager is not being asked to spend money on training. They are being asked to reduce the organization’s exposure to a CA$6.98 million event — by investing in the people already on the payroll.
It is a defensible ask. Make it with numbers, not generalities, and the answer is usually yes.
