Re: Root of competence
That’s a great question, and thinking about it, I’d be in a similar position if I was looking for formal compliance.
I’d also add “designed/wrote the Company Open Source Policy and Procedures” as evidence for my own competence (I wrote the policy, so I decide what is ok!). I also have talked about Open Source Compliance at Intellectual Property conferences.
It would be good to know others’ thoughts on this bootstrapping. 😉
From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:52
Subject: Re: [openchain] Root of competence
Thanks, Martin. In that context, your comments make sense.
I'm specifically looking for a starting point: assuming no-one in the org has any formal/external training yet, how does one show competence for the *first* trainer in the org, the one who would then be providing training to the others in the org?
It could be argued that working through the OpenChain curriculum and adapting it to the local org's needs is equivalent to receiving that training, but I don't want to start out with a flawed assumption. And while it would have been necessary in the past to say "my years of personal experience are sufficient" because there wasn't any alternative, I don't know that that's good enough now. Hence taking the temperature of the group.
I may have misunderstood the original question, my comment was around “training the trainers” and/or keeping the “experts” up to date. I don’t think there is much formal training available for that purpose and would certainly welcome any other thoughts in this area.
In terms of general training, I use some LinkedIn Learning modules (because as a company we currently have licenses) and some OpenChain reference materials. I supplement both of these with more targeted examples, use-cases, anecdotes, company specific terms&procedures, etc.
I would recommend using the above materials, to make something bite sized and utilising all modern methods of delivery (i.e. videos, quizes) if available virtually. The OpenChain Reference Training sub-group is making great progress towards improved materials.
> Several of the open source organizations, including OpenChain have published training curriculum or materials
> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would
> provide evidence that you meet technical criteria.
As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?
My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences. Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field. Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria. Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be the go-to person in your organization).
These are my thoughts and do not reflect the positions of anyone else.
Chris Wood PhD CISSP
On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:
I count my ongoing “training” as attending webinars, industry events, etc.
One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…