Contextual, Hands-On Learning: The Supercharged Way to Train Your Brain for Security

I'm sorry, I have to deliver some bad news.

Traditional training is dead.

Well, okay, it's not... but it probably should be. Time and time again, studies have shown that sticking a bunch of people in a classroom to learn something new, tick off a compliance task or undergo retraining is one of the most ineffective ways for people to receive an education. And when it comes to corporate training, those statistics don't improve. The Harvard Business Review published a study on the effectiveness of classroom training for new hires of large corporates, finding that this learning method took an average of eight to twelve months to get new employees up-to-speed and productive. That is a very long time to fully utilize a person's skills (and a long time to get comfortable, if you're the new hire). These days, most places don't have that kind of time; inevitably, corners get cut, people don't receive the training they need and a company loses out on a lot of value that could be attained much sooner.

It truly boggles the mind that many places still rely on classrooms, dry textbooks and mind-numbing video training to get their best and brightest on-board with company best practices or new initiatives, especially when there's a far better, more engaging and more valuable way to learn: contextual training. As it turns out, we humans are way better at retaining information when we get hands-on with new ideas and processes.

Now, when it comes to developers... we're a special bunch. From my own experience as a developer, traditional training doesn't exactly set my world on fire. Devs tend to be creative, resourceful problem-solvers who would much rather be using the tools than be lectured at in a classroom, or sat in front of endless videos of a talking head when trying to learn new information. If you look at security training in particular, there appears to be a clear disconnect in the current landscape: developers are failing to address common vulnerabilities in their code, leading to AppSec professionals tearing their hair out when they are faced with the same easily fixed problems over and over again. The relationship between those teams is strained, and developers are not given the right tools and training to stay engaged with secure development best practices. Their main objective is feature-building, but with cyber risk rapidly increasing for every company, we simply cannot afford to ignore and deprioritize security knowledge any longer.

And the best part? If developers are security-aware, those common vulnerabilities start to disappear. Risk is reduced, along with the costs of fixing late-stage bugs (and AppSec stops losing their hair by the handful).

So, what does engaging developers with contextual training look like, exactly?

Real-world examples are ridiculously powerful.

Imagine if we all had to learn to drive by watching videos on YouTube. While you can get the general idea of how a car works, as well as the sequence of events that is initiated to move you along the road, it would be virtually impossible to learn to drive well until you hop in a car and try it in-person.

Contextual training is so valuable because it puts the student in the driver's seat of whatever is being taught. When you have a real-world context for something, it makes the learning far more engaging and meaningful.

Looking at secure coding, anyone can sit through a video and understand the basics of SQL injection, but the nitty-gritty of actually solving the problem is easily forgotten when deadlines loom and features delivery takes priority. However, if it was possible to review real code examples, identify the injection and fix it as part of a training exercise, that is far more applicable to a developer's day job than trying to retain one-way information. It's also more relatable for a developer, if they see code that is similar to what they usually write, they will stand up and pay attention.

On the Secure Code Warrior platform, we've gamified secure code training, offering a wide variety of challenges in multiple languages and frameworks. The system encourages repeat play and most importantly, is instantly customizable to offer the right environment for true contextual learning.

Provide knowledge when it is most useful

According to contextual learning theory, effective learning occurs only when students process new information or knowledge in such a way that it makes sense to them, within their own individual frames of reference.

Imagine that a developer receives a list of security vulnerabilities from bug bounty programs, SAST tools, or bug-tracking software. They may be perplexed - even overwhelmed - if they've never come across these vulnerabilities before. What's worse, most reports are designed for application security experts and not developers. The information in the reports is hard to parse and often contains generic advice not directly applicable to a developer.

Recently, we've added the ability to deep-link directly to hands-on training on vulnerabilities from bug bounty programs, SAST tools, bug-tracking software and penetration test reports. Developers can immediately understand the basics and learn good coding recipes for their particular framework.

Learning in this way ensures developers are receiving knowledge and training on concepts when they are most relevant, and they are far more likely to retain that information in the long term.

Faster results, less disruption, happier campers.

With any training, an immediate context with your day-to-day activities is going to be far more powerful than attempting to apply something generic to your work. You spend less time in "study mode", or worse - having to go back through things you've already "learned" when you need an answer for something.

One of the principles of contextual training is the ability to build upon knowledge so that each component of the training adds to the previous one, allowing for a stepped process that gives participants a pathway to mastery. Again, this is something we support on our platform, with a belting system similar to what might be found at a karate dojo. Everyone starts off a white belt, before progressing to the coveted black belt, or, "security champion" level after putting in the necessary hours of training and tournament participation. It's a fun approach with real-world value and practical application.

Want to retain the best talent and keep them security-aware? Give them the tools to succeed.

It's an unfortunate reality that, right now, security-aware developers and AppSec specialists are a scarce (yet vital) resource. They're also notoriously difficult to hold onto.

Cybrary conducted a survey among 3100 IT and security professionals in 2018, revealing that a key element in retaining valuable employees was investing in their training. Their findings show that companies who provide the tools and training to nurture their in-house security skills were able to retain security pros 60% more than those who didn't, and a whopping 65% of respondents preferred that training to be hands-on. Pretty neat, huh?

However, the survey results also provided a rather alarming revelation: 80% of respondents do not feel adequately prepared to defend their organization against cyber threats. Those threats are not going away, and the right training to combat the growing risk of costly data breaches and attacks is needed now more than ever. And, well, I may be biased, but Secure Code Warrior's platform could be the tool you need to spark a positive security culture, upskill and support developers with the contextual training they love and protect your organization from the bad guys. Request a demo and we'll show you more.