AppSec eLearning

I’ve been noticing an interesting trend in AppSec training — specifically, organizations moving from ILT (instructor-led training) to CBT (computer-based training.)  Normally I would chaulk this up to the economy since e-Learning is more scalable and economical; however, the trend has a much more practical driver — time.  Development teams are throughput-driven and most organizations struggle taking 10-15 architects, developers, and QA staff off the bench for 2-3 days to sit through ILT. Thus, the appeal of a self-paced e-Learning course is great.

According to one recent CISO I spoke with, CBT also provides an “always on” aspect that ILT cannot and he felt this was especially germaine to security topics. Often a developer needs to learn (or refresh her knowledge) on a specific topical area – easy to do with CBT, not so much with ILT. And unlike past CBT, which meant little more than slides with a talking head, this CISO said that today’s e-Learning courses are high-quality, interactive, and engaging; thus, the knowledge sticks (a long-time knock against CBT.)

We have a perfect storm brewing here with the ingredients of:

• 24×7 access to key security knowledge/learning
• Cost-effective, scalable training
• Self-paced (read: doesn’t impact the day job)
• Everyone trying to squeeze more out of less

Looks like AppSec CBT may be here to stay…