The security skills shortage: A golden opportunity for creative CISOs
I have attended (and continue to attend) multiple industry conferences and events, speaking on stage and networking with people all over the world on the global issues that face us as security professionals.
I have also noticed the steady decline in optimism from the CISOs I speak to - the conversations are rarely brimming with positivity. They are more than aware of the increasingly difficult battle to thwart security risks, but it seems that some are resigned to an inevitability that they will fall victim to a breach, rather than seeking opportunities to improve and streamline security with current and future resources.
By far, the most common issue is one of cybersecurity skills shortage. How can you possibly fight an enemy increasing in numbers, strength and cunning, when you simply don’t have the headcount to support a realistic defence? We hear:
“Our security team isn’t big enough to support our engineering team.”
“We can’t compete with the amazing salary packages offered by overseas companies, so our best security staff are constantly poached.”
“Our security experts are too occupied with urgent firefighting to concentrate on skill development.”
These concerns are backed in recent research reports, including a 2017 Ponemon Institute Survey where “lack of competent in-house staff” was the CISO’s chief worry, topping even company data breaches.
The security skills gap is real, it is a huge challenge and it won’t just clear up one day without considered strategy. Markets like Australia are especially at risk, with home-grown talent moving abroad for better pay and the promise of cross-continental adventure, while Australian immigration laws make it difficult for a reciprocal situation with security experts from overseas.
However, the Australian skills shortage has whipped up some ingenuity, leading to a potent focus on national security skill-building. (As the old, alleged Benjamin Franklin quip goes, “Out of adversity comes opportunity.”) There is a visible push from government departments, educational facilities, savvy corporations, and of course startups, to roll out programs aimed at fortifying local security skills.
The very shallow security skills talent pool has also led to another opportunity, one that serves to up-skill and empower in-house (and even outsourced) development teams. It is a known fact that most of the world’s highest-scale security breaches were made possible due to errors in the software code itself, and with the average breach costing in excess of US$3.6 million, it makes sense to examine the application security budget.
It stands to reason that if developers remain untrained, the same mistakes will be made year after year, and the same reactive, expensive after-the-fact fixes will need to be applied. It seems a crazy way to burn through cash, all while an organization’s reputation as a security-conscious company goes down the drain.
So, why not change it up and secure software from the start of production?
Empowering development teams to write secure code is the golden opportunity for CISOs to seize proactive control over looming security issues, and where there is the chance for fast, easy and measurable improvements – for both security and development teams.
Turning every single developer into a security expert is not the solution - they are still entirely separate teams. However, their relationship can be improved and costs drastically reduced if they speak the same language, leading with a security-first mindset and fixing problems as they occur, rather than after code is committed and thirty times more expensive to resolve. If developers can be taught security in a fun, engaging and relevant way, then the outcome will be that top-tier security expertise in the organization can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities that could have been fixed at the beginning of the SDLC.
To many CISOs, this might sound like a pipe dream at best, or firmly slam-dunked into the “too hard basket” at worst. However, at Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, implement it effectively and transform the working lives of both their security and development teams in the process.
Interestingly, CISOs from one particular vertical have become advocates and, really, pioneers in the use of new training initiatives. Australian banks were the early adopters of this approach back in 2016 and 2017, recognizing the need to develop a strong security mindset within their teams and laying the foundation for security best practice from the start. The country’s top six banks now actively engage and train their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. They are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams, in addition to using it during the recruitment process when expanding the team.
There are tangible, positive and truly transformational outcomes as a result of this approach. Think reductions in the occurrence of common vulnerabilities, increased security awareness overall and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will take the pressure off their existing security talent as well as reducing their exposure through software insecurities. With everyone on the same page and putting security first, risk reduction is a given (and a heck of a lot cheaper than fixing it all post-breach).
If you are, or you work with, an increasingly depressed CISO who wants to take real control of the security situation in their organization, then I encourage you to think about a straightforward way to score some positive and tangible security improvement points.
Empower your developers to learn to code securely in a way that is relevant, positive and fun, and you will see the culture transform for the better in less time than you think.