The unemployment rate for cybersecurity professionals is now hovering around zero percent, according to Cybersecurity Ventures. There are currently 1 million cyber-security job openings (experts predict the number to climb to 6 million globally by 2019) but there aren’t enough trained professionals to fill the roles.
The recruitment pipeline for cybersecurity professionals is drying up at an alarming rate: there are two positions available for every qualified candidate. Recruiters and headhunters alike are scrambling to fill a single role that is really meant for three or four professionals. They craft lengthy job descriptions and require a list of skillsets that most individuals simply don’t have. The sheer number and frequency of cyber attacks makes it nearly impossible for a single individual to keep up and stay informed.
Cybersecurity Ventures predicts that cybercrime damages will cost the world $6 trillion annually by 2021, making the talent shortage more and more of a crisis. According to an Intel Security report, a third of respondents say a shortage of skills has positioned their organizations as more desirable hacking targets, and one in four claim that insufficient cybersecurity resources have damaged their organization’s reputation and led directly to the loss of proprietary data.
Codiscope CTO, John Steven discusses a solution to this growing problem:
Addressing the Problem: No More ‘Whack-a-Mole’
Scanning automation tools can certainly help alleviate some of the time and resource pressures facing AppSec professionals, but they often put developers in a position where they’re scrambling to triage and resolve thousands of issues that may not have been created by them. It often creates more work for everyone, and doesn’t help either the security team or the development team focus their efforts.
Tools that work within development and teach devs how to build security into their applications from the beginning eliminate 70% of issues from manifesting in the code at all. That relieves much of the bottleneck and leaves security professionals with a much more manageable workload. 90% of respondents from the Intel Security report acknowledged that advancing technology could help alleviate their cybersecurity hiring problems. There will always be the need for people with the critical problem-solving skills to oversee and understand the issues at hand, but distributing security knowledge across the organization via development increases the efficacy of all your security initiatives.
Why don’t we teach our developers to own the security of their code and work in combination with the application security team?
Picture this: developers prevents the majority of security issues before they reach production, so only high-value security issues make it to the desk of the AppSec manager. A developer who’s capable of owning not just code quality, but code security. A security-focused developer.
Developer-driven security means that more security issues are resolved during development, reducing time, resource strain, and delays in releasing to production. By giving developers the responsibility of securing applications, cyber-security professionals can focus on high-value issues. Narrowing the focus of the cybersecurity professionals to specific security issues instead of a generalized “whack-a-mole” approach will allow organizations to leverage their security folks and make a much larger impact on the security effectiveness of the organization. By incorporating the development teams and engaging them in the most interesting and crucial security problems, organizations can begin to chip away at the talent gap. You can strengthen the productivity of the organization as a whole simply by developing a security staff that’s committed to working on secure design issues and implementing a toolset that teaches developers secure coding best practices.