How devsecops protects appsec from the cybersecurity skills gap

In an analysis of ESG’s annual survey on the state of IT, security analyst Jon Oltsik reports that in 2018, respondents “once again” ranked cybersecurity skills as their #1 most problematic IT skills shortage. Their #2 response was IT architecture/planning, and the #3 response was server/virtualization administration.

In what seems like a sea of never-ending reports about the depth and severity of the cybersecurity skills shortage, it’s important to note that it doesn’t exist in a vacuum.  Cybersecurity spans wide range of duties.  In the application security realm, a perfect storm of cultural disruption, technological innovation and good timing has led to the emergence of devsecops – a model for application security, that (among its many other benefits), is highly unlikely to be impaired or shortchanged by the cybersecurity skills shortage.

Given the survey’s second and third place rankings, it’s easy to extrapolate that the folks ESG surveyed, in addition to needing skilled cybersecurity people, are in short supply of workers skilled in building and running the next generation of enterprise apps. That’s not good news, because traditionally, applications have offered hackers multiple, easy-to-penetrate attack surfaces that provide easy entrance into their target networks.

But traditions change.

As a technological and cultural movement, DevOps has already created a much more collaborative, integrated IT culture. Devsecops is newer but has been embraced by security conscious DevOps teams, developers and application architects. Companies are increasingly building their new applications using DevOps technologies, processes and beliefs about applications should be built and managed.

Many are either planning to or are already in the process of re-architecting their development pipelines to CI/CD models that support microservices and the ability to constantly automate. In other words, devsecops has great timing, and is catching on in time to be built into modern development pipelines.

Companies that seize the opportunity to transition to a devsecops model, will have more than just agile application security – they’ll have much better application security and applications with vastly reduced attack surfaces. 

Sounds great, right?  But what about the cybersecurity skills shortage?  Not only is the world grossly understaffed when it comes to cybersecurity, but devsecops requires seasoned security pros to acclimate to a bunch of new tools and adopt a whole new mindset.

Plus, skills shortage aside, the discipline of cybersecurity is relatively new. Before mega breaches woke the world up to the need for cybersecurity, “infosec” was more or less legislated into existence with the Sarbanes Oxley Act of 2002, so the existing talent pool of seasoned professionals is quite small when compared to other aspects of IT.

According to CyberSeek, a project affiliated with (among others) the National Institute of Standards and Technology (NIST) there are currently 746,858 filled cybersecurity jobs in the US. In 2015, Symantec CEO Michael Brown, predicted that the demand for cybersecurity jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million.

For the purposes of this post, I’m going to mesh those stats and estimate that in Jan 2018, there are roughly 4 million cybersecurity professionals employed worldwide, with a fraction of those being appsec. According to Evans Data Corporation, in 2017 there were more than 22 million software developers. 

Thanks to the collaborative, integrated nature of DevOps, talent recruited from that pool of 22 million developers will compensate for for the cybersecurity skills shortage because devsecops leaders can deputize developers to do a lot of the groundwork that security requires, as part of their job. So instead of accepting whatever developers deliver and then toil to fix it, security teams can empower developers, using automated tools, to secure their software to a much higher level than before.

It is feasible for devsecops teams to rely on a smaller group of seasoned security pros to craft and implement security policies throughout the dev pipeline.  Devsecops leaders can then train developers to familiarize themselves with those security controls, and work with them to automate security into the pipeline wherever and whenever possible.

If business leaders mandate that application development is framed around DevOps and devsecops processes, application security – especially for containerized, cloud-native applications – will drastically improve despite the cybersecurity skills shortage. 

As I have said time and time again, it will be on security professionals to take the lead on devsecops, which means they need to literally become leaders and make time to proactively enlist others to their cause.  But as more millennials enter the workforce, they are likely to embrace and further the collaborative and creative culture that DevOps and devsecops has infused into corporate IT. 

This is not to say devsecops is a 100% solution for cybersecurity skills shortage, but it can make it a (much) less of a concern in the appsec realm. This may sound like a pipe dream but it’s not – we already see our customers using to devsecops transform application development and security for the better.