App economy: desperately seeking security talent

Digital transformation has revolutionised the role of applications and software within the business. Previously viewed as the IT Team’s domain, companies are increasingly investing in how they can drive greater productivity and create new revenue streams.

As the importance of software and applications – and the speed with which it is developed –increases, we’re witnessed the transformation to DevOps. DevOps is changing the way companies build, test and deploy applications and is rising in popularity among many businesses, including major brands like Starbucks, LinkedIn, Apple and even the NASA that want to drastically speed up the product-to-market lifecycle.

While it is transforming the application economy for the better, the exponential rise is cybercrime has made application security a more critical business concern. This year alone the business world has experienced some of the biggest cyber attacks ever – from WannaCry to NotPetya – crippling businesses for up to weeks at a time and costing upwards of £4 billion in loss and damages.

>See also: How Brexit will affect UK app developers and consumers

Traditionally security was an afterthought in the development cycle, but over the past few years, it’s quickly become a core part of the process. Now aptly called DevSecOps, the process incorporates security earlier into the development and testing software phases as a means to achieve faster, higher quality outcomes that are both innovative and secure. While DevSecOps is growing in popularity, organisations are still struggling to combat malware injections or data breaches, because their developer and IT teams don’t have the security knowledge or skills needed to launch products threat-free.

Interestingly, the 2017 DevSecOps Global Skills Survey, a report commissioned by Veracode and DevOps.com, found that one in three technology professionals said the IT workforce is unprepared to securely deliver software at DevOps speeds.

With more than half of organisations using DevOps practices across their business or within teams, the personal debt is bound to have a real impact on the productivity of businesses, the safety of its products, and the quality of applications that ultimately form the foundation of today’s digital economy.

The reality of security scarcity

Every organisation is struggling to keep up with the pace of innovation and change today. Add a security skills gap on top, and they’re already two steps behind.

Many companies are forging ahead with their DevOps transformations, but quickly realise there are gaping holes in their development plans. Firms find themselves with a knowledge deficit that puts the success of DevOps efforts at risk, as well as increasing the likelihood of persistent vulnerabilities left in software infrastructure that could be exploited.

Providing developers with training is more efficient than finding that perfect hire, as they already know the business, and can apply the knowledge immediately. Investing in existing employees also supports organisations’ employee Net Promoter scores, with high scoring organisation having better employee loyalty according to research by puppet and DORA.

>See also: Severe: the security risk to UK mobile app users

Despite the obvious benefits of in-house training, seven in ten developers surveyed confirmed that their organisations provide them with inadequate application security training. Classroom or self-guided e-learning training programmes are the most effective way to gain new skills needed for the job, according to 37% of respondents. Yet only half of respondents said they could get their companies to foot the entire bill for training. And according to the industry, it’s largely down to cost.

The study also revealed that the most valuable tools respondents had learned were obtained on the job, with just 3% reporting that they had accrued their most relevant skills through education.

The reason for that gap is simple: real-world security skills are not taught in computer science programmes. Over 70% of developers surveyed said they were not required to complete any courses focused on security when getting their degree. If the next generation is not prepared for in-demand roles and businesses are not willing to train up, it’s no surprise that the skills gap is so vast.

While it’s encouraging that 25% of schools have already started to implement security specific courses to the computer science curriculum, it’s clear that it’s a long-term fix to a short-term problem that requires both educators and business leaders to work closely together.

Paving the way to change

There’s no quick fix to the security gap deficit. Organisations need to step up and realise these shortcomings are costing them. While this is a business issue, the onus lies with the CIO. It’s their job to educate the senior team on the imperative to train-up and invest time and money to allow for on-the-job training.

>See also: How businesses can protect their digital footprint from mobile threats

That means incorporating security techniques into every training opportunity and making sure it’s tailored for whoever is taking it – developers, operations or security personnel. Everyone on a modern software development team needs to have an understanding of security and DevOps principles in order for a true DevSecOps method be effective.

There has to be a mindset shift across the board that recognises how new functionality added to an application increases the attack surface. No matter how much training costs; companies can no longer afford to be complacent.

They have a role to play in educating their staff to improve the security of their applications today, but also in guiding the next generation either through apprentice programmes or advising on university curriculum. The future of the business and more importantly, the entire application economy, depends on it.

 

Sourced Colin Domoney, Consultant Solution Architect at Veracode

 

The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...