Re: Root of competence
I may have misunderstood the original question, my comment was around “training the trainers” and/or keeping the “experts” up to date. I don’t think there is much formal training available for that purpose and would certainly welcome any other thoughts in this area.
In terms of general training, I use some LinkedIn Learning modules (because as a company we currently have licenses) and some OpenChain reference materials. I supplement both of these with more targeted examples, use-cases, anecdotes, company specific terms&procedures, etc.
I would recommend using the above materials, to make something bite sized and utilising all modern methods of delivery (i.e. videos, quizes) if available virtually. The OpenChain Reference Training sub-group is making great progress towards improved materials.
From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:06
Subject: Re: [openchain] Root of competence
> Several of the open source organizations, including OpenChain have published training curriculum or materials
> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would
> provide evidence that you meet technical criteria.
As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?
My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences. Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field. Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria. Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be the go-to person in your organization).
These are my thoughts and do not reflect the positions of anyone else.
Chris Wood PhD CISSP
On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:
I count my ongoing “training” as attending webinars, industry events, etc.
One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…