For organisations looking to train their developers in application security, there are two possible solutions: in-house or outsourced training.
Whilst in-house training from resident security professionals may seem like a great idea, the efficacy of your security training (and its return on investment) will usually be much higher with outsourced training.
1) Overcome Cultural Barriers to Security Adoption
Encouraging a secure culture is the best way for your organisation to respond to the threats posed by application vulnerabilities and malicious attacks. Security needs to be viewed as an organisation-wide priority, and not just an issue of box-ticking compliance. Achieving this mentality can be a challenge in large enterprise organisations, but thankfully, you can leverage outsourced security training to help break-down any cultural barriers.
External training providers will approach developer security training in a different way to in-house employees. They’ll have a framework that was developed outside of your organisation, and they’ll teach security in a way that won’t conform to entrenched attitudes towards security.
Even if your in-house training team are willing to adopt new security practices, it may be difficult for employees to be taught by members of their own team. Outsourced security trainers won’t suffer from this problem – and their expertise and insight in the field may make it easier for developers to respond to their suggestions.
2) Cutting-Edge Training and Specialisation
In-house security experts have to balance their professional responsibilities. Whilst it’s important for them to research application security, their ability to do so will always be tempered by the responsibilities of their day-to-day roles.
In contrast, outsourced training organisations are full-time security specialists. They devote all of their time and energy to learning about application security, and staying at the cutting-edge of security and technology developments. This translates into:
Broad Knowledge of Developer Security Training
We’ve talked before about the importance of role-specific developer security training. In organisations that employ developers with a diverse range of skill-sets and language specialities, it’s essential that your chosen training program has the capacity to cater to .NET, Java, PHP, and a range of other niche specialities.
Up-to-Date Expertise
Staying up-to-date with the latest developments in application security is a full-time job. New threats, vulnerabilities and fixes appear on a daily basis, with each new security issue a potential calamity for a large organisation. Whilst in-house developers are unlikely to have the spare capacity to research these developments, outsourced training companies will be able to stay at the cutting-edge.
3) Skills in Both Application Security and Developer Training
There are two essential components to effective training: security knowledge and training ability. In the same way that relatively few research scientists and PhD graduates make good teachers, it takes more than expertise in a topic to be able to educate and train people. An advanced understanding of security is only half of the puzzle – and your security trainers need to be able to share their knowledge in an effective way.
In-house training typically draws on the business’s own internal experts. Whilst these people are highly-skilled in their own field, it’s extremely unlikely they’ll possess the same level of teaching ability. In order to help in-house trainers achieve a suitable standard of teaching ability, it’s often necessary to invest in additional training – making external training a more effective use of resources.
In contrast, outsourced training ensures that your staff are being educated by trainers that are experts in both application security and effective training methods. As well as possessing cutting-edge security insight, they also have the skills necessary to share that insight with your own staff.
