In my role as Managing Principal at Cigital, I spend most of my week talking with information security professionals at a wide variety of organizations. In discussing all of the issues facing security organizations, one issue stands above them all—talent. Never have I seen such a shortage of talent in the security industry as I do today.
Over the past two to three years, organizations that haven’t historically been focused on security have started to build out information security programs. Likewise, startups—which would typically hire security professionals later in their evolution—want to make sure security is built in from the start. That has resulted in more security jobs than people to fill them.
The security talent shortage represents a bigger issue facing the information security profession. Nowhere is it more relevant than in application security.
Application security professionals are the Swiss army knives of the security organization, ready to take on a variety of situations using their array of developmental and architectural expertise. They have to understand information security principles and policy, along with how they apply to the specific code that is written. Usually that means they should be able to write some code.
The most efficient solution to the current application security gap is to hire application developers and teach them security principles. They have the trust of the development teams and the comprehension of a security professional, positioning them to be highly effective.
Many organizations currently choose to move network security professionals into the application security role. Some organizations get lucky and find someone who used to code back in school. Others struggle.
That network security person will do a fantastic job of finding vulnerabilities in applications. The instincts developed in the network world apply in the application world as well. But the job doesn’t stop there. Throughout the security industry, but particularly in application security, the objective isn’t just to find vulnerabilities – it’s to help the organization fix them and ultimately prevent the same thing from happening in the future.
That’s where a security professional without coding experience fails. Even if they have the right fix, they often don’t have the trust of the development team members (who feel they shouldn’t have to take advice from someone who doesn’t understand how to do what they do).
In most applications, about 50% of the vulnerabilities found are bugs and the other 50% are flaws. A bug is an error in how the code was written. It’s generally easy to fix in a few lines of code. SQL injection is a bug. A flaw is a vulnerability in the application architecture. Often times, the developer wrote the code to specifically fill a requirement, but the requirement didn’t consider the security impacts. The password reset process design can potentially result in a flaw.
The network security professional can find bugs all day long. However, the ability to recruit the right person for an application security role who can also find the flaws is a struggle for many organizations. These job openings rarely get filled.
As a result, most security organizations layer security on top instead of building security in. While process and technology play a big part in building a successful security organization, having the right people (or even having enough people) plays a big role in the organization’s ability to secure itself.
A roadmap to change the shape and culture of your security organization
Take the current headcount you’ve been trying to fill unsuccessfully and turn your efforts internally. Find resources within your organization who want to expand their experience in security. Invest in their career to train through coaching and shadowing if you have the internal resources, otherwise you can explore external training resources.
The result will be a significantly more impactful information security organization.
The newly trained, existing team members will understand application development, enterprise architecture, project management and the overall organization much better than someone recently hired to join the organization. They will be able to build security into the organization, because they actually understand the people and processes. This will make them much more effective at preventing vulnerabilities from being introduced in the first place.
The biggest hurdle I see is getting an organization to invest in the training to get non-security people the knowledge they need to be effective in a security organization. It’s often easier to pay someone $10,000 more in salary than to provide someone with $10,000 in training. But is this usually the most valuable approach for your organization? Probably not.
Without the corporate commitment, it’s hard to get the coaching and knowledge to grow as a security professional. Ultimately, it will take a combination of improved college curriculums, corporate investment in training, and individual desire to grow more information security professionals.
Related Reading: The Harsh Truth of the Cybersecurity Talent Gap