Authors:  Tania Ward, Dell; and Altaz Valani, Security Compass; John Martin, SAFECode

One of the biggest challenges around security training is getting both the training and the real work done. For a lot of organizations, training time is often a significant investment with little tangible result beyond checking a box for compliance. If we are going to retain and build our people, if we’re going to reduce rework in the software industry, then we need to focus on the incremental learning that builds a sustainable security culture, increased confidence in our skills, and resulting LEAN processes. The approach of “checking a box” can make an organization compliant to some audit-able standard but does little to help the organization develop secure software. By improving the way we train our people, we improve the outcomes for software projects, security programs, and enterprise initiatives.

This blog post identifies key areas that security training should focus on to create sustainable value in the long term.

Focus on the Learner
Learning is about filling a knowledge gap that exists in the mind of a learner. Most learners are already knowledgeable, so the training is probably either an addition to that knowledge or a reminder of what the student already knows. Putting the learner at the center focuses security training on what’s most important to an organization — its people.

We should always focus our security training on the people, not the tools. Ultimately, competent people strengthen the security capabilities of an organization.

An example of focusing on the learner is training on the use of strong passwords. In this case, a gap exists in the learner’s mind around what a good password should be. Rather than setting a password policy that seems to “get in the way,” good training will help the learner understand why strong passwords are key to ensuring the integrity of information in our systems. In this way, training supports policies that are there to guide and remind, rather than hinder them in their work.

Keep it LEAN
Regular disruptions to a learner’s day-to-day workflow create frustration. Training should focus on the problem’s solution in the most efficient manner. Look for ways to focus on the problem or solution without significant disruption to the way work is normally performed. Ideally, security training should eliminate rework in their day-to-day efforts. In general, training should be limited to four or five simple knowledge targets that the learner can use today.

We should always try and make training bite-size and efficient. Jumping through elaborate scenarios usually wastes time, demotivates the learner, and generally decreases the ability to learn.

An example of this is providing training on input sanitization. A short clip or brief text directly in the software developer’s ‘build’ environment can give the learner the key concepts needed to write secure code. It fits naturally with their day to day workflow since they are already in their work environment.

Give It When You Need It
Provide the right training at the right time. The training should be given at the appropriate time based on the persona. An executive, for example, can plan ahead for a training session. A developer, on the other hand, may require training in real-time. The training should be integrated into the working environment so it is relevant.

We should give the right training to the right people at the right time. The training should be seamless, easy, and immediately available.

An example of this is just-in-time (JIT) training for developers on bounds checking. Automated bounds checking during C-code development provides immediate feedback to improve code security outcomes. 

Align People to Org
A hard truth is that pushing unwanted training to an unmotivated learner just doesn’t work. Each learner has their own personal objectives – maybe to improve their current process or an aspirational goal like becoming a leader. Often, what’s good for the learner is also good for the organization. Being able to tap into these motivating factors and look for ways to align personal wants and organizational priorities is a win for both the learner and for the organization.

We should always consider personal objectives as a contribution to the organization. Look for alignment both from the top down, as well as the bottom up. We want our training to be clearly targeted at the learning goal and purposeful in its messages.

An example of this is creating an app that must be privacy compliant for regulatory reasons. However, privacy is an area many developers today know little about. Providing privacy training can help a developer grow in their understanding of the subject, making them more competent in their role, while at the same time meeting organizational objectives.

Match Mode to People
The mode of training should vary depending on the subject matter. The methods and tools are just as important as the learning. For purely technical training in a developer environment, a web-based approach could work fine. On the other hand, teaching abstract leadership skills may require a simulation to reinforce the concepts. A blended approach across different modes should be used if it strengthens the learning experience.

We should always consider the right delivery mode against the intended objectives and experience of the learner. Training should always be contextual.

An example of this is providing executive security training on risk identification by framing it as part of their job. In determining if a software vendor is going to be approved for the enterprise, training included walking the responsible executive through key security concepts, providing a cheat sheet of questions the executive could ask the vendor, and a scoring system for the executive to use in the evaluation and approval to go forward. In this case, we were able to combine training with real-time participation in the creation of a security decision. 

Teach Small Things but Embrace the Journey
An individual training module is not about having an elaborate long-running program, but about changing a single behavior. As each behavior changes, each step in the journey becomes real. As the behaviors accumulate, each small change is continually wrapped into the organization’s objectives.

Don’t try to teach everything all at once. We should always strive to create and deliver training that incrementally builds on previous knowledge and delivers organizational value.

An example of this is a recurring email reminder about how “Security Champions are here to make you stronger”. This type of reinforcement aids in the retention process. Coupled with the right metrics, it can help drive the right behavior.

Speaking of Security Champions, here’s an unabashed plug. Among SAFECode members, the Security Champions belt programs (and their equivalent) routinely outperform legacy learning programs. Typically, in this system, White Belts are offered enterprise-wide to those who’ve completed a series of micro-learnings and goals. More advanced belts are offered to smaller audiences and have increasingly technical and social requirements. At the Black Belt level, both the skills and the ability to teach and evangelize those skills are world-class.

A good security training program focuses on the learner’s journey. It helps them move from one step to the next using a variety of learning methods that may be quite different over time. The focus should be on knowledge retention and behavior change based on personal needs and organizational objectives. In doing so, we end up creating a stronger, more sustainable security training program that demonstrates organizational value.