Re: Root of competence
My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences. Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field. Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria. Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be the go-to person in your organization).
These are my thoughts and do not reflect the positions of anyone else.
Chris Wood PhD CISSP
On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:
I count my ongoing “training” as attending webinars, industry events, etc.
From: main@... <main@...>
On Behalf Of Steve Kilbane via lists.openchainproject.org
One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…