As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training.

"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It's just not possible to take a group of 50 people out of your company, if you have a large one, and pay the amounts of money that are being asked to sufficiently bootstrap your employees."

Regardless of budget, though, more frustrating for early-career security professionals is what Kovah calls a gap in vocational knowledge between what college-level degree programs offer in foundational curriculum and what security professional development certification programs or very specialized paid training courses offer. Gaining the knowledge to get from point A to point B can be difficult even if the professional does have the money in hand or an employer sponsor willing to foot the bill.

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

"Imagine that I'm a graduate and have just now completed my degree," says Ajay Nawani, chief of Cyberoam Academy, a security course recently launched by network security firm Cyberoam, who agrees that there's a gap between theoretical and practical knowledge that the industry hasn't done a good job addressing in early career security pros. "I will never have those kinds of [knowledge] for those kinds of professional, highly skilled courses. I wouldn't be able to get into CISSP without spending maybe three or four years in the industry. Only then could I think of attending such courses." Even though there's no easy answer to getting security professionals the right training for their jobs, Kovah believes that applying open-source principles to the field of security professional development could go a long way toward filling the vocational knowledge gap while helping to drive down the cost of training. He's bringing that ethos to a new side project he's spearheading, called OpenSecurityTraining, a massive open online course (MOOC) platform that gives security experts the opportunity to make open courseware, training videos, and other curriculum available both to self-directed learners and to other trainers who might want to use it to develop their own classes.

And just as open-source and paid software coexist in a happy equilibrium with their own roles in the enterprise, he believes his MOOC approach is a good supplement, rather than a competitor, to paid training.

"I see this as augmenting some of the existing commercial training," Kovah says. "I don't see it as trying to replace the commercial training. There's always going to be much deeper potential for classes, but simultaneously we're not trying to do the sort of foundational knowledge that a lot of online classes coming out of colleges will handle."

Instead, where he sees OpenSecurityTraining falling in the spectrum is in the intermediate-level course work that may get pros started on more advanced and specialized career tracks. So, for example, some current offerings include Introduction to Vulnerability Assessments, Malware Dynamic Analysis, and Intro to Software Exploits. He is currently working on encouraging other thought leaders and trainers in the industry to share courseware and knowledge in other areas, like application security, to bolster out the offerings.

New York University adjunct professor Keith O'Brien says that self-directed learning and similar grassroots alternatives aren't new to the security industry, pointing to efforts like Security Tube as evidence of outlets that experts have set up to share information and mentor the younger set. Unfortunately, with many of the other alternatives, "it's all just kind of thrown at you," says O'Brien, who teaches classes at NYU. According to Kovah, the big differentiator with OpenSecurityTraining are the class maps he and his collaborators are developing to offer guidance on how students can systematically train themselves.

"Historically there are people who will go out and spend a lot of their own time learning and mastering areas, but by providing the material, we're making it that much easier for people to do some self study and give themselves a leg up," he says.

As for its place compared to paid training offerings, other instructors involved in the initiative say that OpenSecurityTraining stands to help students get more return off their paid training investments.

"I kind of view it as using my material to build a prerequisite foundation for other more advanced trainings you could go out and take," says Corey Kallenberg, who offers course materials for the site's exploits training track. "The better your foundation is, the more you're going to take from those advanced pay classes." On the flip side, this is where the eventual cost savings will come as well. Students or their employers may be still shelling out cash for paid classes, but they're less likely to spend it on the introductory courses in favor of more specialized training.

"It sets a newer, better baseline in terms of what they can be expected to know," Kovah says. "We can say, look, there's material on intro to exploits [and] teach something more advanced than that. By pushing instructors to teach more advanced things [in paid courses], I think that brings down the costs in the end."

According to Hord Tipton, executive director of ISC2, any kind of augmentation to the security training market can only help the industry.

"In general, all training has its place and is valuable," Tipton says. "No particular training is going to give any one person all that there is to know about how to survive in the information security world. But on the other side of that, you have to make sure you select the right type of training that fits your requirements matrix."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.