Training Toolkit for Managers
It happens all the time — weekly, if not daily. A customer approaches us and tells us that part of their mandate is to ensure their development teams are trained and able to protect against security vulnerabilities. Their budget, however, is either minimal or controlled by another department in their organization. With application security gaining more and more visibility worldwide, we continue to ignore the importance of building a culture of security from the foundational level up. How can we expect our dev teams to “just know” when we aren’t providing them with tools necessary to do their jobs?
Securing a budget for training can be difficult. Many times, it involves multiple people across multiple departments with widely varying opinions. The more red tape, the harder it is to gain buy in for training. At Security Compass, we’ve been doing this for a long time, we have witnessed first hand the benefits of proactive rather than reactive training. Here are some tips on how to persuade and secure funding for something that is increasingly becoming more vital to your organization’s success.
Use the Facts
Proactive training has a lower cost than reactive recovery. We’ve all heard the saying, “do it right the first time,” and when it comes to developing secure applications, this holds extra true. According to WhiteHat Security, the average site has 23 vulnerabilities, 13 of which are serious, and 48% of which will eventually get remediated. The average time it takes to remediate these vulnerabilities is 200 days. Needless to say, if training can help dev teams eliminate vulnerabilities from the start, the whole organization will save a lot of time, headaches, and ultimately money.
If you’re fighting for a larger training budget, you can argue that you are saving your organization money by training your dev team to avoid potential security risks. The table below by IBM shows that it is 100 times more expensive to fix a defect after it has been released, than during the design phase.
Build Training into your SDLC
Making training an integral part of your SDLC can help ensure that training isn’t treated like an afterthought or an add-on. When building your strategy, training should come from the top down and should (in the best case scenario) be mandatory. It may seem harsh to “force: training on your team, but eventually you’ll build a security that wants to learn so that they don’t get left behind.
Without the proper training, everything becomes a reactive game of trial and error. It’s important to learn the basics, and then employ them on a larger scale. Everyone needs to have a baseline of fundamental knowledge. If we rely on humans to build applications, we are at the risk of mitigable errors. If you build training into your overall plan the cost of training becomes a fraction of the cost of remediation.
Stop the Revolving Door
Developers in the tech world today have boundless opportunities. There are a lot of good jobs, and developers regularly receive a lot of enticing offers with a lot of potential benefits. They tend not to stay too long in one place, because there are always “better” opportunities elsewhere. Churn is expensive, and carries significant risk for your organization.
Organizations that provide training and growth opportunities see less turnover. In a recent survey of millenials on the job market, a whopping 53% of respondents cited “learning new things or having access to learning or professional development opportunities” as a reason they would consider staying in one position longer. Investing in your team saves you the cost of replacement and retraining.
Make Training Continuous and Tailored
Nobody wants to waste time. The most frequent argument that we hear against training, and that anyone is likely to hear in their own organization, is that development teams “don’t have time” for training.
Some major time savers are to ensure that your teams take only the training they require, and that they are continuously reminded of what they’ve learned. If they invest the time into the training, ensure that your organization is calling to attention the importance of what they have learned, and how it is improving the business. Continuous, tailored learning increases retention and buy-in, which will lower the amount of remediation in the end. Role based learning that benefits both the organization and the student will be seen as the most valuable and thus provide the highest adoption rates.
In the end, the thing to emphasize is that dev teams will free up more time for more important and enjoyable work if they are trained in ways to avoid vulnerabilities that will require lengthy remediation later. On a larger level, this means employees are wasting less time and companies are lowering their risk of costly data breaches.
Michelle Dizon, Director of Training at Security Compass