In an analysis of ESG\u2019s annual survey on the state of IT, security analyst Jon Oltsik reports that in 2018, respondents \u201conce again\u201d ranked cybersecurity skills as their #1 most problematic IT skills shortage. Their #2 response was IT architecture\/planning, and the #3 response was server\/virtualization administration.In what seems like a sea of never-ending reports about the depth and severity of the cybersecurity skills shortage, it\u2019s important to note that it doesn't exist in a vacuum.\u00a0 Cybersecurity spans wide range of duties.\u00a0 In the application security realm, a perfect storm of cultural disruption, technological innovation and good timing has led to the emergence of devsecops \u2013 a model for application security, that (among its many other benefits), is highly unlikely to be impaired or shortchanged by the cybersecurity skills shortage.Given the survey\u2019s second and third place rankings, it's easy to extrapolate that the folks ESG surveyed, in addition to needing skilled cybersecurity people, are in short supply of workers skilled in building and running the next generation of enterprise apps. That\u2019s not good news, because traditionally, applications have offered hackers multiple, easy-to-penetrate attack surfaces that provide easy entrance into their target networks.But traditions change.As a technological and cultural movement, DevOps has already created a much more collaborative, integrated IT culture. Devsecops is newer but has been embraced by security conscious DevOps teams, developers and application architects. Companies are increasingly building their new applications using DevOps technologies, processes and beliefs about applications should be built and managed.Many are either planning to or are already in the process of re-architecting their development pipelines to CI\/CD models that support microservices and the ability to constantly automate. In other words, devsecops has great timing, and is catching on in time to be built into modern development pipelines.Companies that seize the opportunity to transition to a devsecops model, will have more than just agile application security - they\u2019ll have much better application security and applications with vastly reduced attack surfaces.\u00a0Sounds great, right?\u00a0 But what about the cybersecurity skills shortage?\u00a0 Not only is the world grossly understaffed when it comes to cybersecurity, but devsecops requires seasoned security pros to acclimate to a bunch of new tools and adopt a whole new mindset.Plus, skills shortage aside, the discipline of cybersecurity is relatively new. Before mega breaches woke the world up to the need for cybersecurity, \u201cinfosec\u201d was more or less legislated into existence with the Sarbanes Oxley Act of 2002, so the existing talent pool of seasoned professionals is quite small when compared to other aspects of IT.According to CyberSeek, a project affiliated with (among others) the National Institute of Standards and Technology (NIST) there are currently 746,858 filled cybersecurity jobs in the US. In 2015, Symantec CEO Michael Brown, predicted that the demand for cybersecurity jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million.For the purposes of this post, I\u2019m going to mesh those stats and estimate that in Jan 2018, there are roughly 4 million cybersecurity professionals employed worldwide, with a fraction of those being appsec. According to Evans Data Corporation, in 2017 there were more than 22 million software developers.\u00a0Thanks to the collaborative, integrated nature of DevOps, talent recruited from that pool of 22 million developers will compensate for for the cybersecurity skills shortage because devsecops leaders can deputize developers to do a lot of the groundwork that security requires, as part of their job. So instead of accepting whatever developers deliver and then toil to fix it, security teams can empower developers, using automated tools, to secure their software to a much higher level than before.It is feasible for devsecops teams to rely on a smaller group of seasoned security pros to craft and implement security policies throughout the dev pipeline.\u00a0 Devsecops leaders can then train developers to familiarize themselves with those security controls, and work with them to automate security into the pipeline wherever and whenever possible.If business leaders mandate that application development is framed around DevOps and devsecops processes, application security - especially for containerized, cloud-native applications - will drastically improve despite the cybersecurity skills shortage.\u00a0As I have said time and time again, it will be on security professionals to take the lead on devsecops, which means they need to literally become leaders and make time to proactively enlist others to their cause.\u00a0 But as more millennials enter the workforce, they are likely to embrace and further the collaborative and creative culture that DevOps and devsecops has infused into corporate IT.\u00a0This is not to say devsecops is a 100% solution for cybersecurity skills shortage, but it can make it a (much) less of a concern in the appsec realm. This may sound like a pipe dream but it\u2019s not - we already see our customers using to devsecops transform application development and security for the better.