I've been noticing an interesting trend in AppSec training -- specifically, organizations moving from ILT (instructor-led training) to CBT (computer-based training.) Normally I would chaulk this up to the economy since e-Learning is more scalable and economical; however, the trend has a much more practical driver -- time. Development teams are throughput-driven and most organizations struggle taking 10-15 architects, developers, and QA staff off the bench for 2-3 days to sit through ILT. Thus, the appeal of a self-paced e-Learning course is great.
According to one recent CISO I spoke with, CBT also provides an "always on" aspect that ILT cannot and he felt this was especially germaine to security topics. Often a developer needs to learn (or refresh her knowledge) on a specific topical area - easy to do with CBT, not so much with ILT. And unlike past CBT, which meant little more than slides with a talking head, this CISO said that today's e-Learning courses are high-quality, interactive, and engaging; thus, the knowledge sticks (a long-time knock against CBT.)
We have a perfect storm brewing here with the ingredients of:
- 24x7 access to key security knowledge/learning
- Cost-effective, scalable training
- Self-paced (read: doesn't impact the day job)
- Everyone trying to squeeze more out of less
Looks like AppSec CBT may be here to stay...
