Great quote on training from the twitterverse yesterday via @cykyc:
"What if we train our people and they leave?
...
What if you don't train them and they stay?"
Rarely do you get so much wisdom from < 140 chars. I have seen the latter scenario play out several times and it ain't pretty. In my swamp of software security, there is no way around
training because quite simply software people don't know enough about security and security people don't know enough about software. (hey that might fit in under 140 chars!).
There is actually another major benefit beyond knowledge transfer, very often in software security training, you get a decent percent of the top software people and top security people in the company in a room together for two days. This very rarely happens, there is a lot of peer to peer networking that happens. I work to facilitate as much of this as possible.
One of the major benefits in doing in house training is that we don't need to use generic industry wide Petshop type examples, instead we take the company's gnarliest problems and use it as the case studies for the class. More often than not we come up with new ways of looking at the problems and new ideas on approaching a solution.
So yeah, don't worry about keeping your people non trained and in house, instead bring as much knowledge in house as you can.