Maximise ROI on Appsec Education Programmes
4th March 2012

Behind every successful application security programme - there is a good, methodical and role-specific education programme. This is a known fact and we have been preaching it for years. But, we also know that organisations struggle to achieve a good return-on-investment (ROI) from these education programmes. Most of what is being taught in the education programmes doesn’t get applied to the projects.

Why is that? Is it a problem with the attendees of these education programmes or the training approach used itself? We believe it’s the later…

Let’s have a look at what’s wrong with the training approach adopted by almost everyone: Today, majority of the application security education programmes are run as courses with duration of 2 or more days. It is very difficult for the organisers to ask 10-15 key project members to leave everything where it is and confine themselves in a training room for 2 days. Even if organisers were able to do that, the attendees keep getting distracted with the job obligations such as production issues, urgent emails and what not!

The trainers want to share all the knowledge they have gained through years of experience. But, they have only 2-3 days to do this. So, a course which seems reasonably set on a piece of paper overwhelms the attendees with information. And, the result is that the attendees lose interest somewhere in between the course. Even if they try to keep up with the course, there is only so much that human mind can grasp in this much time.

After the course is finished, attendees are encouraged to research further and apply the concepts learnt during the training. But, they have covered so much in the course that it is next to impossible to try, test and read further on every topic while performing their daily duties. And, they end up forgetting most of what they learn.

So, what does this mean to an organisation – “the net ROI from such education programmes is minimal”. Now, we know that we need an education programme to be successful BUT the classical training approaches provide minimal ROI, is there a better way to approach this.

So, what is the solution?

Instead of monolithic training courses, we create self-contained highly-interactive lectures of 1.5 hours to 2.5 hours duration and schedule these over a period of time e.g. one lecture a week. This in principle is exactly how our universities provide education so, this approach is not new, well at least not in the mainstream learning and is proven to work.

Every lecture focuses only on one topic or multiple closely-related topics so that it’s easier for attendees to research further after the session. Finally, project members may only attend the sessions which cover topics directly related to their role.

So, this gives us a highly flexible training approach with several benefits such as:

• Smaller training sessions i.e. 1.5 to 2.5 hours long are much easier to organise.
• It is much easier for attendees to take out couple of hours a week without impacting their work schedules and commitments. Hence, such lectures and education programme will get better support and recognition from the management.
• Attendees get ample time to grasp and research further on every topic they learn during the sessions. Hence, they are more likely to apply what they learn to their projects.
• In addition to above, this approach is cost effective too.