Maximise ROI on Appsec Education Programmes
4th March 2012
Behind every successful application security programme - there is a good,
methodical and role-specific education programme. This is a known fact and we
have been preaching it for years. But, we also know that organisations struggle
to achieve a good return-on-investment (ROI) from these education programmes.
Most of what is being taught in the education programmes doesn’t get applied to
Why is that? Is it a problem with the attendees of these education programmes or
the training approach used itself? We believe it’s the later…
Let’s have a look at what’s wrong with the training approach adopted by almost
everyone: Today, majority of the application security education programmes are
run as courses with duration of 2 or more days. It is very difficult for the
organisers to ask 10-15 key project members to leave everything where it is and
confine themselves in a training room for 2 days. Even if organisers were able
to do that, the attendees keep getting distracted with the job obligations such
as production issues, urgent emails and what not!
The trainers want to share all the knowledge they have gained through years of
experience. But, they have only 2-3 days to do this. So, a course which seems
reasonably set on a piece of paper overwhelms the attendees with information.
And, the result is that the attendees lose interest somewhere in between the
course. Even if they try to keep up with the course, there is only so much that
human mind can grasp in this much time.
After the course is finished, attendees are encouraged to research further
and apply the concepts learnt during the training. But, they have covered so
much in the course that it is next to impossible to try, test and read further
on every topic while performing their daily duties. And, they end up forgetting
most of what they learn.
So, what does this mean to an organisation – “the net ROI from such
education programmes is minimal”. Now, we know that we need an education
programme to be successful BUT the classical training approaches provide minimal ROI, is there a better way to approach this.
So, what is the solution?
Instead of monolithic training courses, we create self-contained
highly-interactive lectures of 1.5 hours to 2.5 hours duration and schedule
these over a period of time e.g. one lecture a week. This in principle is
exactly how our universities provide education so, this approach is not new,
well at least not in the mainstream learning and is proven to work.
Every lecture focuses only on one topic or multiple closely-related topics so
that it’s easier for attendees to research further after the session. Finally,
project members may only attend the sessions which cover topics directly related
to their role.
So, this gives us a highly flexible training approach with several
benefits such as:
What does this give us? - Maximum ROI from education programmes and strong
backbone of the organisation’s overall application security programme.
- Smaller training sessions i.e. 1.5 to 2.5 hours long are much easier to
- It is much easier for attendees to take out couple of hours a week without
impacting their work schedules and commitments. Hence, such lectures and
education programme will get better support and recognition from the management.
- Attendees get ample time to grasp and research further on every topic they
learn during the sessions. Hence, they are more likely to apply what they learn
to their projects.
- In addition to above, this approach is cost effective too.
Considering above, AppSecure proudly announce its ‘first of its kind in Asia
Pacific’ application security lecture series. This series has 10 self-contained
highly interactive 2 hour lectures catering for all development staff — whether
they are architects, developers, QA testers or managers. In every lecture,
trainer focuses on a particular topic and use examples and demonstrations to
provide just enough information that can be grasped by attendees.
Contact us at
email@example.com to for further information or curriculum.
Sandeep Nain, Managing Partner
Appsecure Pty Ltd