In-House vs. Vendor: Which is the Best Way to Provide Secure Coding Training?

According to the latest EMA report, 64% of the cybersecurity training provided to employees was developed in-house. But is this the best approach for organizational secure coding training? 

In this article, we will compare the experience of creating in-house secure coding training with hiring an external vendor, including the associated costs and value. 

In-House Secure Coding Training  

In-house secure coding training consists of training content developed and deployed by internal company employees. This can be done by creating content from scratch or pulling individual modules from learning platforms across the internet. 

The main aim of providing in-house secure coding training is to empower developers and other software professionals with the expertise and knowledge to write secure code without hiring external consultants. This training is typically organized by someone in the HR/Training department, such as a Training Manager, or by a Security Expert, such as a Security Engineer. 

In-House Coding Training Vendor Benefits 

There are some benefits for organizations that are building their secure coding training in-house, including: 

• Content Customization: In-house training can be customized to meet the specific needs of the organization, including the programming languages and frameworks that are used, the particular security concerns that the organization is facing, and the learning style of the employees. 
• Program and Content Control: When organizations create their secure coding training, they have complete control over the content and delivery of the training. Administrators can deploy training in a modality, timing, and format that aligns with their security culture and goals. 

Hiring a Secure Coding Training Vendor 

A secure coding training vendor is a company that provides training content on secure coding practices to developers and other software professionals. Most secure coding training vendors have a library of content on their own platform that organizations pay to have access to.  

The cost of a secure coding training vendor varies depending on several factors, including the vendor's experience, the trainers' expertise, the quality of the training materials, and the delivery options offered. 

See Security Journey’s Pricing and Plans 

EMA research shows that hiring a secure coding training vendor and the highest code security improvement rates (100%); third-party training appears to be the critical component in which some organizations are failing to invest. 

Secure Coding Training Vendor Benefits 

There are some benefits for organizations that hire a secure coding training vendor, including: 

• Quality of Content: Vendors that specialize in secure coding training have the opportunity to employ a team of experts on the security side and the training side to ensure content is accurate and follows generally accepted learning science principles. 
• Amount of Resources: Secure coding training vendors have the resources to develop and deliver high-quality training materials. This includes developing hands-on exercises and labs, as well as creating engaging and informative presentations. 
• Convenience for Employees: Hiring a secure coding training vendor is convenient for organizations. The vendor will take care of all aspects of the training, from developing the training materials to delivering the training to the employees. This frees up the organization's time and resources to focus on other priorities. 

The graphic below shows how third-party-developed training (100% improvement) provides a slight competitive edge over in-house training (97.4% improvement); developing and maintaining training in-house can be expensive, requiring an entire team with very specialized skill sets to keep training up to date. 

Creating Secure Coding Training Content 

Creating effective secure coding training content takes dedicated time and expertise, and not all organizations have these types of resources internally. 

You may need to hire or contract professionals such as: 

• Application Security Expert ($65/hour*) 
• Security Engineer ($75/hour*) 
• Instructional Designer ($37/hour*) 
• Videographer/Editor ($20/hour*) 

*hourly pay is average across the US for similar job titles 

It can take, on average, about two weeks to create a single secure coding training lesson (video or hands-on). Still, that timeline depends on the number of languages being covered, the quality of the lessons and content, and how much employee time is being dedicated to content creation. 

If you are building a continuous training program with ongoing content being deployed, you’ll want at least one new lesson a month for 12 months. If it takes two weeks to build a lesson from beginning to end, and you need at least 12 lessons a year – it will take about six months of dedicated time to create a secure coding training program from scratch. 

In addition to creating the initial training content, there are other factors to consider, such as: 

• Content Upkeep: Keeping content relevant and up to date with the latest regulations, vulnerabilities, and technologies. 
• Maintenance and Hosting: Cost and time dedicated to ensuring learners have access to the training content and hosting any tournaments, events, tracking, and reporting. 

If you want to learn more about how Security Journey can help you develop your secure coding training program, you can schedule a meeting with our team today.