What Is “Educate” In The 3E Framework?

What-is-Educate-in-the-3E-Framework

The 3E framework is a comprehensive approach that helps organizations integrate cybersecurity into their software development lifecycle. The framework prescribes three sequential steps, Educate, Embed, and Empower, in increasing order of maturity and impact. The first step is “Educate,” which focuses on training development teams and business stakeholders on security. 

This foundational step ensures that everyone involved in the development process understands the importance of security and is equipped with the necessary knowledge and skills to implement secure practices.

Development Team Training

Standard computer science curriculums do not always mandate security training. As a result, many new programmers are often unfamiliar with application security when they start working.  Without knowing about security, development teams may suffer from “ignorance is bliss”: they may believe their products are secure without knowing what application security entails. In our experience, any effort to be “secure by design” is unlikely to succeed unless development teams know the magnitude of application security risks.

Data from IBM’s Cost of a Data Breach report shows that employee training has the second highest impact on reducing the cost of a breach after adopting a DevSecOps approach.

Training development teams is a crucial first step in fostering a security-conscious culture within an organization. Various methods exist to achieve this, and understanding the preferences and needs of your team is key to selecting the most effective training approach.

What to Train Development Teams On

Application security is a broad domain that you can spend your entire career learning about. We recommend developers start with fundamental education and move on to other topics from there:

Tiers of application security training

Training Methods

A survey conducted by Security Compass in 2024 highlighted several aspects of application security training programs. It revealed whether security training was mandatory or voluntary, the forms of training provided, and the presence of a security champions program.

survey conducted by Security Compass in 2024 highlighted several aspects of application security training programs

Figure 1: Survey results on the prevalence and effectiveness of security training programs and Security Champions initiatives

Training

Most companies provide secure development training, and of those who do, two-thirds do so because it is mandatory for compliance. This finding was the same for the US and the UK. Large enterprises are more likely to provide it for all applications.

  • Overall: 66% of developers require security training as part of compliance requirements, while 34% do not have such requirements.
  • Geography: In the US, 68% of developers must take security training for compliance, whereas in the UK, the figure is lower at 60%.
  • Revenue: Larger enterprises (with higher revenue) are less likely to mandate security training, while 3% of the respondents wish there were.

Security Champions

Over half of the companies who do Threat Modeling have a Security Champions program, and of those who do, most find it quite effective.

  • Overall: 53% of companies have a Security Champions program, and 33% don’t have but find it effective.
  • Geography: In the US, 54% of companies have a Security Champions program, while in the UK, the figure is lower at 52%.
  • Revenue: Companies with less than $1B are more likely to have a Security Champions program than companies with higher revenues. Specifically, 62% of companies with less than $1B in revenue have a Security Champions program, while 49% of companies with over $1B have such a program. 
Interactive hands-on training formats are the most popular overall, followed by instructor-led training.

Figure 2: Preference for security training formats by geography and revenue

Security Training Formats

Interactive hands-on training formats are the most popular overall, followed by instructor-led training. Notable differences in formats were seen between the UK and the US, with the latter much more likely to use self-paced learning and JITT.

  • Overall: 49% of companies prefer interactive training such as hands-on training platforms, while 45% prefer instructor-led training.
  • Geography: The preference for interactive training is slightly higher in the UK compared to the US.
  • Revenue: Enterprises (<$1B) prefer self-paced learning and JITT, integrating short videos relevant to the developed application.

Gamification

Gamification, such as using leaderboards to show who has completed the most training, is popular among development teams. It introduces a competitive element to the training process, driving engagement and encouraging continuous learning.

Likelihood to opt into app sec training

  • Interactive vs. Standard Training

Interactive training methods, including hands-on labs and simulations, increase engagement, retention, and the desire to learn more. However, not all training material can be covered interactively. For instance, compliance requirements may be better suited to standard training formats like lectures or reading materials. Thus, a blend of both interactive and standard training is recommended to cover all necessary topics effectively.

  • Accreditation

Accreditation is an important consideration when selecting a training solution. Obtaining credentials from trusted entities such as ISC2, SANS, or well-known academic institutions can be a significant business differentiator. It adds value for external stakeholders and enhances a developer’s resume by demonstrating their commitment to continued learning in their field.

Accreditation view point on appsec training

Considerations for Developer Training

When planning developer training, it’s essential to take a strategic approach that addresses the diverse needs of your team and aligns with your organization’s overall security goals. Here are some key considerations to keep in mind:

Event-focused vs. Process-focused Training

  • Event-focused Training: This training is centered around specific events, such as workshops, boot camps, or hackathons. These events are often intensive, providing deep dives into particular topics quickly. Event-focused training can be highly effective for initial onboarding or when introducing new security practices and tools.
  • Process-focused Training: This training is integrated into the ongoing development processes. It includes continuous learning opportunities, such as regular training sessions, on-the-job training, and integration of training materials into daily workflows. Process-focused training ensures that security education is a continuous effort rather than a one-time event, helping to reinforce and build upon existing knowledge over time.

Mandatory vs. Career Development

  • Mandatory Training: This type of training is required for all developers, ensuring everyone has a baseline understanding of security principles and practices. Mandatory training is crucial for maintaining a consistent security standard across the organization and ensuring compliance with internal policies and external regulations.
  • Career Development: Positioning training as part of career development can motivate developers to engage more deeply with the material. Offering advanced courses, certifications, and opportunities for professional growth can make security training more appealing. This approach can help develop security champions within the team who are highly knowledgeable and passionate about security.

Comprehensive vs. Targeted Training

  • Targeted Fundamental Training: This approach focuses on specific security areas relevant to the developers’ current projects or roles. Starting with targeted fundamental training helps build a strong foundation by addressing the most crucial security challenges developers encounter in their work.
  • Comprehensive Training: Once a solid foundation has been established with targeted training, developers, particularly those in security-critical roles, can move on to comprehensive training. This approach covers various security topics, providing a well-rounded understanding of application security. Comprehensive training ensures developers have deep knowledge in all areas critical to their responsibilities.

Creating a Security Culture

A robust security culture must be supported by organizational buy-in that reinforces the importance of security. This includes:

  • Leadership Support: Visible commitment from leadership to prioritize security.
  • Incentives and Recognition: Rewarding and recognizing employees who excel in implementing security practices.
  • Continuous Improvement: Encouraging a mindset of continuous learning and improvement in security.
  • Cross-functional Collaboration: Fostering collaboration between development, security, and operations teams to integrate security into all development lifecycle stages.

Getting Started with Training

Here’s how to begin your Educate step of the 3E framework:

  1. Assess Current Knowledge Levels: Conduct a baseline assessment to understand the current security knowledge and skills within your development team.
  2. Define Training Objectives: Based on the assessment, define clear training objectives that align with your organization’s security goals. For example, all developers should be ensured they have a baseline level of security education or comply with a standard such as the Payment Card Industry’s Data Security Standard (PCI DSS).
  3. Select Training Materials: Choose appropriate training materials to meet your training objectives.
  4. Implement Training Program: Deploy training material, ensuring they are interactive and engaging to maximize retention and application.
  5. Evaluate and Iterate: Continuously evaluate the effectiveness of the training program through feedback and performance metrics and make necessary adjustments to improve its impact.

If you are starting, consider using our free Kontra training modules. These modules provide a solid foundation for your team and help integrate security into your development processes. 

By considering these factors and taking a structured approach to developer training, organizations can build a knowledgeable and security-conscious development team ready to tackle the evolving challenges of application security.

Start Your Security by Design
Journey Today

Gain instant access to our essential guide on Security by Design.
Click below to view or download your copy now.

Download Now

 

Business Stakeholder Training

Educating business stakeholders about application security is equally important yet often neglected. These stakeholders play a critical role in supporting Security by Design initiatives. Fortunately, the scope of necessary training for business stakeholders is generally narrower than for development teams.

This guide outlines key areas of education for business stakeholders, particularly around value drivers. Here are two free resources to assist with this training:

  • The Case for Security by Design: This resource explains why Security by Design is essential and how it can benefit the organization.
  • Building a Bridge to Security Island: This resource helps stakeholders understand their role in supporting security initiatives and how to collaborate effectively with development teams.

Conclusion

The “Educate” phase in the 3E framework is pivotal for embedding security into the software development lifecycle. Organizations can cultivate a culture of security awareness and competence by providing targeted, relevant training to both development teams and business stakeholders. 

This foundational step ensures that all participants are prepared to implement secure practices, ultimately leading to more resilient and secure software systems. As cybersecurity threats evolve, investing in education and training remains a critical component of any comprehensive security strategy.