Pick awesome over boredom. Why Training quality matters.

March 31, 2013

Whether you’re looking to train staff on OWASP training and/or Security Awareness training, at some point you will need to decide what kind of computer based training product to purchase. In developing a vendor criteria, it may seem like it makes sense to purchase training with a LOT of content, but let me tell you why training quality matters.

Buying a lot of something seems like a great idea. After all, buying more usually is a better value. However, if you’ve bought stuff in bulk before, say groceries, you know that this decision can easily backfire. Your purchase might not taste very good, you could get bored of eating it all day, or food might simply go bad before you get a chance to finish it all.

When it comes to buying too much, I often run into a situation where people are looking to compare how many hours an Application Security CBT contains and how much value they can get out of it. The thinking is that a longer course is better value or as I like to say, the “all you can eat buffet”. This thinking can also backfire and you may end up with something you really don’t want anymore. Here’s why you should always choose awesome over boredom.

[caption id=”” align=”alignright” width=”219"]

image: stock.xchng[/caption]

Learning has never been based on the amount of content

If I asked you to learn everything about frogs and then threw you a bookshelf of biology books, it is likely that you wouldn’t know where to begin. It may be the case that you could get overwhelmed and possibly give up on the basis that spending all these hours finding where to start isn’t going to be a fun ride.

Let’s be honest… Application Security is a broad topic and complicated. When learning about Application Security, it is most important to find the right course that meets the learning goals of your teams. We believe that a good CBT should provide different mechanisms for the student to learn content and tie learning goals to the real world in order to provide context to the student.

Let’s take a topic such as cross-site scripting (XSS). There are thousands of sites on the internet dedicated to XSS, but having each and every kind of XSS attack presented to the student would be absolutely daunting. This is what some courses try to do, but ultimately it fails because the student misses the entire goal of the lesson itself, which is understanding why a particular attack happens and why an attacker would want to perform a XSS attack in the first place. It also assumes the students know about HTML and JavaScript, an assumption that in my experience is wrong.

What’s more awesome, is to demonstrate learning concepts around cross-site scripting in an accessible manner that people can relate to and also the business impacts of such attacks, something rarely covered in industry courses. Regurgitating hours of detailed content is simply the wrong approach and is simply discouraging.

Your staff may not have enough time

Going back to the subject of value for the money, consider that it is truly a better value to have a student take 30 minutes of quality training relevant to their goals vs. 3 hours of training that covers too much content that does not help that student’s daily needs. In today’s fast paced economy, most teams are extremely busy with their important jobs involving juggling a multitide of goals each day. They don’t have time to sit down for a long, 3 hour bout of Training where they need to hunt for the content that really matters to them.

You want to make sure that when they sit down, you target them for the training that tailors to their needs. Giving them too much content or too long training that is unengaging, doesn’t provide them with the tools they need to do their job. Training shouldn’t be purchased based on the length of content alone. In our experience, people shy away from long training since they see it as a time consuming item on that never-ending todo list.

What’s more awesome, is a course that packages learning in a modular fashion where each unit can tailor to the learning goals of the individual and is modular enough to be taken in chunks, without making someone feel like they need to clear their schedule for the week just to take a CBT course. Respect your staff’s time, and they’ll respect the training you want them to take.

Great learning is not based on textbooks

If you’ve had a really good teacher, you probably know that quality learning doesn’t involve reading textbooks. Textbooks help enforce topics, but learning is very dependent on the delivery of the concepts taught by the Instructor. In fact, the best classes I’ve ever sat in are like those great TED talks you can’t put down your iPhone for. An instructor has a very engaging and inspiring way to bring concepts and thoughts to life.

When choosing your Application Security CBTs, we advise that you analyze how abstract security concepts are relayed to the student through the voice audio. Is it engaging and dynamic or is it simply a computerized voice talking in a monotone fashion? You need to find that course which ties all the different components together in a great package.

To pick your training course based on the hours of content is like buying a book off the shelf purely based on how many pages the book contains. Not the kind of value you want. What you really want to find is that one awesome book, that keeps the reader involved and engaged until the last page.


If you are looking for Application Security CBTs, consider the person on the other side taking the training. They may not all be the same person and will have different styles of learning, different goals and different needs. Consider that the course you’re evaluating based on length, may address none of these needs and what first appears as value, may hurt you in the end. Pick awesome over boredom and remember your target audience. Your students will thank you for it.

Previous Article
No Ties Attached: How recognizing culture drives great security
No Ties Attached: How recognizing culture drives great security

Late last year, I was in on a meeting where our Training team was gathering requirements for a Custom CBT t...

Next Article
Your Guide to the HP Cyber Risk Report
Your Guide to the HP Cyber Risk Report

This year at the RSA Conference HP officially released its annual Cyber Risk Report. This report is one amo...

Learn how you can use SD Elements to integrate security into software development.

Watch Video