Solving the DevSecOps security gap will require organisations to provide additional training to their employees.
The digital
revolution has forced businesses to change the way they deliver products or
services today. Software development was often reserved for the back office,
but it’s now risen to the front-lines where every missed deadline or
functionality glitch ripples through the business, with the potential to have
an impact on revenue and customer retention.
Add security on top and it’s another layer of challenges for a
business. Sevenin ten large companies have
been impacted by a cyberattack or data breach in the last year alone, that rise
in risk has put security at the top of the senior leader’s priority list. As a
result, DevSecOps is increasingly being adopted to address this shift. This
method builds on the well-known DevOps approach by integrating security into
the development and testing cycle, creating faster, better quality and more
secure applications.
This shift
fundamentally changes the roles of the development team. Gone are the days when
a developer’s job was to only focus on ensuring the code was functional, and
the security team was responsible for making sure the applications are secure
after they were built. Now, security, development, and operations teams have to
work together every step of the way so applications are built, tested and
deployed faster and more secure than ever before.
Security skills gap: Impact on business
To compete in the growing app economy companies are trying to scale
their software development at pace. According to a report by Veracode and DevOps.com, nearly 40 per cent of organisations say the hardest employees to find
are all-purpose DevOps gurus with sufficient knowledge about security testing.
On the IT ops side, the top two skills that are the hardest to find are
vulnerability management and containerization skills.
This ongoing
skills gap could be holding many organisations back from their application
delivery ambitions. Only a small fraction of respondents — about one in ten —
can boast using DevOps practices from development to production across the
entire organization. The majority either employ DevOps within limited teams or
inconsistently across the business, while other companies are just starting
their own DevOps journey within the next year.
While
in-house training would seem like an obvious fix, seven in ten developers
surveyed confirmed that their organisations provide them with inadequate
application security training. And many security professionals felt the same
way.
One of the
main things holding organisations back from investing in training is the cost
and impact on resources. Most of the well-known application security training
courses can cost thousands of Pounds and require multiple days of lost time for
a developer. However, continuing education for employees doesn’t have to be
that invasive.
Self-guided
or e-learning training programmes are effective ways to gain new skills for the
job. They allow team members to go at their own pace and fit training around
their work schedule. Unfortunately, only half of respondents said they could
get their companies to foot the entire bill for training.
Investing in
on-the-job training now can ensure the organisation is better prepared for
future demands. Relying on graduates to arrive on the job with those skills in
hand could be setting the organisation up to fail.
Higher education: What’s missing?
New
developers or IT operations graduates aren’t learning the skills needed to
thrive in today’s app-centric environment. Unfortunately, this is down to the
curriculum shortcomings in formal education currently.
The vast majority of respondents in the 2017DevSecOps Global Skills Surveysaid they were not required to complete any courses focused on security
when getting their degree. This is surprising, given the growing importance of
security to the survival of businesses today.
Several academic experts involved in the study explained that today’s
typical computer-science program does not tune itself to the security needs of
a fast-paced IT organisation. Only one to two lecture hours are dedicated to
secure design, one to two hours of defensive programming, two optional hours of
network security and one hour of threats and attacks. According to one
university professor, “This needs to be embedded in the curriculum from
the beginning, instead of just waiting for somebody to teach a security class.”
But it’s not
just for universities and colleges to up their game, the industry needs to step
up as well. The current curriculum is lacking in real-world training such as
input and output coding – where most security vulnerabilities lie – and an
emphasis on practical security hours versus the bare minimum they’re getting
now.
The DevSecOps
survey polled 400 IT professionals globally, 64 per cent of which disclosed
that the most valuable skills learned were obtained on the job, with just three
per cent stating that their career-boosting skills were accrued through
education. This great disparity illustrates the need for CIO’s and IT leaders
to be more involved in curating the curriculum for university and colleges. It
would go a long way to ensure the next generation enters the workforce with the
right skills, especially as the app economy shows no signs of slowing.
The future: Embracing a new way forward
Tackling the
DevSecOps skills shortage requires every business to undergo a mind-set shift.
While the approach to implementation will certainly vary between organisations,
there has to be a universal understanding that the talent deficit is a priority
and impacts the entire business. That cultural change needs to come from the
top, where CIO’s educate the senior team on the imperative to train-up and that
permeates throughout the organisation. Also, it cannot just be focused on
developers, but security and operations teams as well. Every player in the
DevSecOps environment needs to have a solid understanding of security
principles and DevOps for the new strategy to be truly effective.
As a start, there are four ways CIO’s can start initiating transformational
change:
Incorporate
security training at every opportunity: As seen in higher education, security
cannot be a separate course for it to stick. If organisations introduce
security principles into every training opportunity, employees will retain the
information better, see how it’s used in real-world cases and ultimately,
improve the work that’s delivered for the business.
Applicability
adds value: It doesn’t matter if the training is for developers, security or
operations teams, it has to be targeted and applicable to the specific role.
While every role needs to have knowledge of DevOps or security principles,
there are varying degrees depending on their position and skill set. Getting a
handle on the base level knowledge of each team member will ensure the
organisation doesn’t waste money unnecessarily and employees get the most value
out of the training.
Invest in continuous education: Continuous education is a must for continuous
and secure delivery of software. If organisations struggle to justify sending
developers away for extended training classes, bring in application security
experts to train staff on the job.
Get involved in the community: It may not be of immediate benefit to the organisations, but it’s
worth encouraging the senior team or developer/security leads to get involved
in higher education mentoring or advising. Whether it is through shadow days at
the office, an apprentice programme, or advising on curriculum or new skills
needed in the workforce – all will go a long way to ensure the next generation
of graduates will be better equipped to thrive in any app-focused business.
Solving the DevSecOps
security gap will not happen overnight. Organisations need to take action now
to upskill their developers, train their security teams and play an active role
in nurturing future developers. It’s the only way to ensure businesses thrive
and the application economy will be secure now and in the future. 
No comments:
Post a Comment