Given enough time, it’s easy to talk yourself out of making the investment in training for your staff. Organizations that take the long view recognize that software security training is an investment that yields critical returns to both the organization and to the staff.
Training directly impacts key metrics like bug density ratios and time to remediation. According to IDC MarketScape’s Worldwide IT Education and Training 2013 Vendor Analysis, one hour of training saves five hours of lost productivity. Educating developers helps prevent the introduction of bugs in the coding process through the application of best practices. When bugs do enter the code, educated staff are required to interpret the results from code assessment and scanning tools, and to identify the proper mitigation technique to fix what is found. In short, an educated staff will introduce fewer vulnerabilities, and will remediate discovered vulnerabilities faster.
According to InterCall, 69% of employees under 40 say training plays an important role in the decision to stay with their current company/position. Security professionals by nature seek knowledge and want to keep apace of evolving attack patterns and the mitigation techniques that evolve in parallel. The decision to implement security training satisfies this need, keeping them challenged in their work and secure that they are growing their personal value to the organization. Given the paucity of available security professionals, retaining staff is vital.
The best way to ensure your organization maximizes the value from training is to build, manage, and measure a deliberate training program. You should use different approaches (instructor-led training and online learning) to cover all learning styles. Employees should be incented to take training, integrating it into their career plans, and considering it as a factor for potential advancement. Peer recognition through things like certificates is particularly effective. Incorporating examples of past security events help bring the training out of the theoretical.
This starts with architecture and extends through QA and testing. If you use consultants, remember that you pay them to fix bugs they code, so sending them to training maximizes your investment in this segment of your staff.
The Building Security In Maturity Model (BSIMM) reflects many of these ideas in the “Governance: Training” of the BSIMM activities. There are activities associated with things like employee recognition (T3.1: 3), the development of material based on historical events (T1.6: 17), and establishing role-based curriculum (T1.5: 26). Training is also crucial to the creation of satellites—extensions of the software security group (SSG) through people throughout the organization that show knowledge and skill in security. Training identifies satellite members and develops their skills, effectively extending the reach of the SSG and the security posture of the organization.
Ultimately, training has far to many benefits to ignore. The costs are quickly returned through the application of the skills learned. Eliminating vulnerabilities quickly reclaims the time lost to the training process as does quickly mitigating discovered vulnerabilities. In the end, you simply cannot afford not to train your staff.