Posted by Tamulyn Takakura on March 6, 2018
Written in coordination with Prasaath Velu
According to 451 Research, 19% of about 800 organizations listed security awareness training ineffectiveness or difficulty as a top information security pain point. In fact, (ISC)2 has estimated that there will be a 20% increase in software security jobs—from 1.5 million in 2015 to 1.8 million in 2022—further stressing the cyber security workforce shortage. As the scarcity of software security experts continues to grow, investments in security training must present a clear path that yields results and resolves this pain point.
451 Research’s analysis is not unfounded. In a 2017 report on security training, Gartner said, “End-user-focused security education and training is a rapidly growing market, with demand fueled by chief information security officers’ (CISOs’) and employee communication leaders’ need to help change or improve the security behaviors of employees, citizens and consumers.” The research and advisory firm added that because humans are a necessary element of organizational security programs, CISOs must “recognize and manage the increasing impact of employee behavior on enterprise security and risk management efficacy.”1
1Perry Carpenter and Deborah Kish, “Forecast Snapshot: Security Awareness Computer-Based Training, Worldwide, 2017,” Gartner, March 8, 2017.
While the Synopsys consulting group focuses on providing software security services, such as SAST, DAST, penetration testing, and more, our consultants have an up-close and personal look into the features most companies desire from their software security training platforms. Here are the top needs they’ve shared with us:
Verizon’s 2017 Data Breach Investigations Report (DBIR) reveals that four in five companies never measure the success of their security training investments. Recent high-profile breaches highlight the importance of software security, but one or two security or QA teams can’t do it alone. Every employee across the entire organization needs to take ownership of and responsibility for security.
Although security awareness training can improve security knowledge, it doesn’t necessarily drive security-based or outcome-based behavior. In response, organizations are seeking gamified courses and platform features—whether just-in-time training through application security testing integration or learner progress tracking—that motivate learners to learn continuously and to apply what they’ve learned in a way that helps organizations achieve their security goals.
An example of where outcome-driven training is especially crucial is standards compliance. The reality is developers can’t help organizations drive security compliance without learning the principles behind the standards, being shown where lessons are most relevant, and getting guidance on how to apply concepts. This kind of training leads not only to stickier security behavior but also to increased developer performance.
Security is a broad topic, especially when it comes to software. To maintain learner engagement, software security training offerings must deliver courses that are relevant to the learner’s role or project. Security training for developers is not the same as for QA engineers, architects, and so on.
The challenge here is that there is no one-size-fits-all security training curriculum. Every organization, team, and project is different, and organizations must account for this, whether they’re developing training programs or adopting security training tools.
After organizations have adopted and deployed security training tools, some wonder whether they’ve gotten a good return on their investments. Organizations need clear metrics that demonstrate training effectiveness, including but not limited to these:
Security training needs to fit the on-the-go lifestyle of modern-day users. Minor inconveniences such as incompatibility with mobile devices, long and boring courses, and excessive clicks are all triggers for learner procrastination or laziness. While an additional click may be considered little effort by security training developers, it’s an inconvenience that discourages learners from moving forward with their lessons or feeding their curiosity. Training must be made as easy and accessible as possible.
Knowledge is information, but intelligence is the capability to connect information. Features that guide learners to connect information tap into their intelligence and encourage knowledge retention.
Connecting information can happen in several ways:
We’ve worked closely with our consults and customers to understand what they want in a software security training platform. We listened, and now we’re delivering, not just the above features but much more.
Synopsys eLearning is an outcome-driven, learner-centric training solution that makes learning about security easy, relevant, and accessible. With Synopsys eLearning, learners have on-demand access to an immersive, continuous learning ecosystem that unifies security expertise, instructional design, and storytelling into an intuitive platform. Features such as content gamification, modularized courses, hands-on exercises, peer-based discussions, role-based training, training impact metrics, and much, much more enable developers to actively build the security competency they need to help their organizations achieve security compliance.
Synopsys eLearning offers a robust course catalog that demonstrates both depth and breadth. A wide range of courses caters to various audiences and covers an array of software security topics. We regularly add and update courses to ensure that in a rapidly changing space, our content stays up-to-date with the latest information. Each course is feature-packed with game-based mechanics that motivate continuous learning. Not only have we infused each lesson with hands-on exercises, real-world case studies, captivating storytelling, and dynamic animations, but we’ve also modularized our lessons to promote nonlinear learning. We’ve found that by marrying these elements, we’re able to guide learners to understand concepts, contextualize them for real-world application, and break lessons down into actionable next steps in contained exercises. Consequently, learners can better retain lessons, apply skills, and drive outcome-based behavior in their real-world projects. See our full course library.
When we designed our eLearning platform, our goal was to bring the knowledge of our software security experts directly to learners in a startlingly accessible way. Learners have on-demand, 24/7 access to Synopsys eLearning on any device—our platform and courses are mobile-responsive—to fit their busy lifestyles. We’re also integrating Synopsys eLearning into the broader Synopsys Instructor-Led Training portfolio (both regular and virtual), with web conferencing integrations, and into our application security testing tools, such as Synopsys SAST (Coverity). These integrations will enhance just-in-time learning, contextualization, and content discovery to further drive outcome-driven behavior.
At the end of the day, it all comes down to results, which Synopsys eLearning makes it easy to see. Learners and administrators can clearly assess training impact and learner progress within a single dashboard. This visualization of progress, skills gaps, and future needs will empower developers to thrive in their roles and continue to make positive security-conscious decisions.
Synopsys eLearning is available for purchase today. Interested in learning more?
Get the latest Software Integrity news, thought leadership, and more.