It has recently been widely reported that there is a growing talent shortfall of security professionals, which is expected to reach 1.5 million by 2020. This will prove to be an unlikely cause of serious application security weaknesses and data theft in the coming years.
With the never-ending newscycle of reports on data breaches, it is vital for companies to assess how they can avoid these breaches. Having the right talent in place is key for combating the cyber-threats that seem to be growing more frequent and severe.
Recently, Cisco released its 2017 Cybersecurity report which reported that it was yet another record year for successful cyber-attacks. An interesting stat from the report mentioned that “the cloud security provider CloudLock, now part of Cisco, has been tracking the growth of connected third-party cloud applications across a sample group of 900 organizations representing a range of industries. In that, there were about 129,000 unique applications observed at the beginning of 2016. By the end of October, that number had grown to 222,000. The number of applications has increased approximately 11 times since 2014.”
The report also noted that “90% of those organizations are striving to improve their threat defense technologies, through a handful of different strategies: separating IT and security functions, increasing security awareness training for employees, and implementing risk mitigation techniques.”
While that’s a step in the right direction, in terms of making sure employees are educated in how to mitigate risks, the threat is still there. Organizations are going to need the talent to continue to battle the never-ending cyber-attacks that are only likely to grow. Especially when it comes to application security.
The traditional career trajectory of those currently in cybersecurity has placed very little emphasis on application security. With the direction things are headed, that’s a problem. According to Verizon’s Digital Breach Investigation Report, the number one source of data lost in cyber-attacks is the web application level, a vulnerability that is increasingly problematic as we move to a mobile-centric landscape.
The issue that many companies face, specifically in application security, is that there are too many code vulnerabilities. This creates more work for the IT talent who need to deal with the flaws. The solution also isn’t as simple as one may think. Most IT departments try to solve the problem by having developers focus more on security. That’s overly simplistic and largely wrong.
With a worldwide shortage of skilled cyber-experts, the question remains; how can companies continue to gain ground on the malicious hackers? If the talent isn’t there, how can they defend their systems?
The answer of how we can continue to battle these hackers is simple, yet complicated. What organizations need to do is to stop asking those on the developer side to also worry about securing the applications they write.
Developers can do a lot with the code they write. However, they shouldn’t be expected to focus so much on the security of the application. That is where the IT security teams need to focus their time. Organizations need to do their best to make sure they are attracting and retaining the talent necessary to combat the cybersecurity threats directed at applications.
Finding a skilled developer who is equally skilled as a security expert is rare, and has proven to be a challenge for organizations. The lack of cybersecurity skills can have a devastating effect on an organization.
A recent report done by Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), called Hacking the Skills Shortage, indicated that “82% reported a lack of cybersecurity skills within their organization. One in three say the shortage makes them prime hacking targets; one in four say it has led to reputational damage and the loss of proprietary data via cyber-attack”.
In today’s IT driven world, the software that most organizations use requires a team effort. Just as your automobile or commercial aircraft are assembled from parts manufactured all over the world, applications are a combination of custom written code, downloaded third-party components (which come with about two billion well-known and unknown vulnerabilities each year) and APIs that come with platforms and OS.
While the lack of cybersecurity skills is something that organizations need to address head on, they also need to realize that asking the developer who is highly skilled at creating fully functional applications to also be responsible for ferreting out security flaws is often too much for one person to handle.
Again, application security is a team effort. It cannot be expected for one person to handle it all. Asking a developer to write near flawless code and ensure cybersecurity safety at the same time is a recipe for disaster.
The shortage in cybersecurity skills is directly attributable to the fact organizations are focusing way too much on trying to recruit one person to handle the complicated aspects of dealing with cybersecurity issues that occur in organizations. What organizations need to focus on is taking the burden of securing applications from the developer side and creating a team of people who have the skill set to focus solely on protecting the applications and systems that organizations use.
Organizations should also work harder to better equip their security teams with emerging technologies that compensate for the fact that software flaws are inevitable. This can range from more efficient code testing to hyper-accurate security rules built into applications themselves to virtual patches that obviate the need to physically patch all vulnerabilities.
The simple reality is this; we cannot expect our human resources to keep up with the sheer volume of code being written for the ever-increasing number of devices and applications that connect our world (an additional 50 billion devices expected in the next five years). We must reallocate the responsibility for cyber-protection to other skilled people along with better technology tools that automate protection.
Although the shortage of talent may be a cause for concern, the bigger issue is that organizations need to change the fundamental cybersecurity infrastructure or the shortage of skilled workers will get continue to grow along with the number and severity of attacks.