Under pressure to innovate, development outpaces security
Picture this: a time-strapped engineer chasing a deadline gets a knock on their door (or a ping on Slack) about a new vulnerability. It’s a worst-case scenario – the security team has discovered a dangerous injection flaw, and now the project is skidding to a halt. That developer doesn’t have the security know-how to fix the current vulnerability or prevent it in the future, and there aren’t any extra hands to help cover those knowledge gaps. Something has to give, and that something is usually security.
Competing priorities between cybersecurity and the race to market are like kryptonite for inefficient DevSecOps. If teams are too strapped for time and skills and the organization is missing developer enablement opportunities, how do they build innovative software and keep up with the hungry competition?
Businesses building software today are feeling that heat. A full 70% of Information Systems Security Association (ISSA) members say the cybersecurity skill gap has impacted their company, while 45% think it has gotten worse over the past few years. Knowledge gaps, disjointed processes, siloed teams, and inaccurate or subpar security tools all contribute to the problem and drag out project deadlines.
That’s a frustrating and unnecessary time-suck, and it’s where compromise comes into play. Because they just can’t afford to slow down, 70% of development teams skip at least some security steps when they’re under time pressure or lack the right tools and processes. And since the IT talent shortage is one of the biggest barriers to adopting critical technologies that make DevSecOps more efficient, that only fuels a stressful cycle for overworked and underprepared employees facing increased security threats daily.
All signs point to urgency in closing the cybersecurity skills gap. Let’s dig into some of the trends that show how dire this situation is and see what organizations can do about it.
Unfilled jobs are piling up faster than ever
Perhaps the most worrisome trend is the sheer amount of cybersecurity roles open today. A study from the Information System Security Certification Consortium puts the number of unfilled cybersecurity jobs at just over 4 million. It’s a widening gap with no signs of shrinking, and industry growth will only magnify the problem at hand, so where to start?
Like an onion, this issue has many layers and isn’t always pleasant to slice open. A big part of the problem is a lack of direction for cybersecurity-focused careers. Without clear pathways to success, more leadership opportunities, educational enablement, and other avenues for growth, any career path can feel fuzzy and confusing. But that’s especially true in cybersecurity because, for most developers, security isn’t something learned in school or integrated into their workflows by default.
Process problems don’t immediately resolve when a good hire signs an employment contract, either. Onboarding challenges are real in software development; it can take weeks and sometimes months for an engineer to get up to speed with a brand new tech stack and existing codebases. On the security side of the aisle, onboarding can be even more overwhelming if new hires are immediately faced with compounded security debt, poor practices, legacy tools, and a lack of clear oversight.
Sometimes leadership just doesn’t have insight into the roles development and security play in the software process day-to-day, which means they don’t see the issues in action. If executives lack clarity into the ins and outs of DevSecOps, they’re missing the bigger picture problems that stir up stress and bandwidth issues leading to hard-to-fill roles. But when leadership has a handle on which responsibilities, tools, and processes are clearly missing from the puzzle, filling critical roles (and keeping them filled) is easier to do.
The government is stepping up its hiring game
The United States government has its eye on this issue. Just last month, the DHS announced a new initiative to hire and retain the best talent in cybersecurity. The new Cybersecurity Talent Management System aims to take some of the pressure off federal agencies, modernizing how the government approaches hiring, developing, and retaining top talent in cybersecurity as a whole.
Secretary of Homeland Security Alejandro N. Mayorkas stressed the seriousness of the situation: “As our Nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies. This new system will enable our Department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission.”
The directive will first focus on filling critical roles at the Cybersecurity and Infrastructure Security Agency (CISA), though that’s just the tip of the iceberg. It follows recent key initiatives like CISA’s Binding Operational Directive around reducing risk for known exploited vulnerabilities and the CISA playbooks that provide federal civilian executive branch agencies with plans for incident and vulnerability response.
These initiatives come as no surprise, as they are essential. The government was the most targeted sector over the past year – nearly half (48%) of all attacks included governments, and the United States alone faced 46% of those attacks, which is why getting a handle on this issue remains a top priority. The steps to improve national cybersecurity and hire more skilled professionals is a lead that all organizations can and should follow, whether federal or not.
Breaches are costing more time, money, and sanity
We’re on the brink of 2022, and new security issues are already leaving us with whiplash. For example, the newly-discovered zero-day vulnerability impacting the Log4j library popped up on everyone’s radar earlier this month to remind us that we still don’t have a handle on the software supply chain. Breaches are up in intensity, and so are the costs: data from IBM shows that the average cost of data breaches hit a 17-year high in 2021, topping out at $4.24 million USD per breach per organization. That’s an expensive security patch.
So where’s the disconnect, and why are we still getting so caught off guard? Research shows that just 20% of organizations have fully integrated security into development, leaving a large proportion that keeps security teams siloed or butting heads on processes. That certainly contributes to the problems at hand – including stressful work environments – and it churns in a vicious cycle that keeps workers in tight spots.
Stopping a project to figure out what happened and how to fix it is a drag. Without the right processes and accurate tools, remediation can soak up time like a sponge. We know that it can take, on average, 112 hours (that’s two weeks) per team member to address only the current backlog of security issues – and that’s if they do nothing else. There’s a disconnect between what executives think is going on and what is actually happening, too. They tend to have an overly optimistic view of the state of their web application security without getting the full picture. In fact, we know that 14% of execs estimate their teams rarely or never skip security steps, while only 6% of developers agree with them.
If breaches are getting more frequent and costly yet teams are still struggling with outdated processes, inadequate tooling, and misaligned priorities, how can we get ahead of these issues and close skill gaps in the process? It’s time to modernize our application security mindset.
Where to start when shrinking the skills gap
Good AppSec works to kickstart your security program, but what about great AppSec that makes everyone’s lives easier? Leaders need to ensure that their DevSecOps professionals have the best tools and processes at their fingertips if they want their AppSec program – and their employees – to succeed. That’s how you not only set your team up for more innovation but also keep seats filled while attracting the best of the best.
To help close skill gaps, make sure that your AppSec program:
- Is DevSecOps-focused and developer-friendly so that adoption of tooling requires minimal or no additional effort and new developers can hit the ground running when onboarding
- Includes integrated security tools with automated features and functionality that plug into existing workflows to improve processes and accuracy of results
- Works on addressing time-consuming and avoidable pain points, like high false positive rates that slow down progress and increase frustration
- Offers engaging opportunities for growth, such as a Security Champions program that gives a voice to your security-minded team members or educational opportunities to stay on top of best practices
Even with these efforts in play, that main security message needs to trickle from the top down. Security adoption for an organization starts with leadership, first and foremost, and that message from the top is what employees and interviewees alike will hear loud and clear. It’s much easier to fill open seats with the right people and skills when you acknowledge existing issues with communication between teams and work to solve problems that impede diversity and career growth.
Gain deeper insight into these pain points and the overall state of web application security by reading the Fall 2021 Invicti AppSec Indicator.