According to ISACA’s State of Cybersecurity 2020 Report, which is based on data gathered from more than 2,000 respondents in more than 100 countries, cybersecurity threats continue unabated while a cybersecurity skills gap is presenting serious challenges to organizations. Some of the key highlights from the report include:
- 62% say their cybersecurity team is understaffed
- 57% currently have unfilled cybersecurity positions
- 32% say it takes six months or more to fill an open cybersecurity position
- 70% say fewer than half of cybersecurity applicants are well-qualified for the job
The skills gap not only pertains to technical—or hard—skills, but it also extends to non-technical—or soft—skills. One-third of respondents say they are experiencing gaps in soft skills such as critical thinking, effective communications, leadership qualities, and interpersonal skills. These findings align with other industry studies.
Security Layers Have Led to Cybersecurity Skills Gaps
The ISACA report queried organizations on what they seek in a winning candidate, and the data shows that there’s no substitute for education and experience. Cybersecurity experience (95%), credentials (89%), and hands-on training (81%) top the list.
The biggest skills gaps reflect these candidate priorities as well: soft skills (32%), IT knowledge and skills (30%), insufficient business insight (16%), cybersecurity technical experience (13%), and lack of hands-on training (10%).
In addition to recruiting winning candidates, organizations also say they have a hard time hanging on to top talent. Specifically, a whopping 66% of organizations say they have difficulty retaining cybersecurity talent. And the current situation is going to get even worse. For example, (ISC)², the world’s largest nonprofit membership association of certified cybersecurity professionals, estimates that the cybersecurity workforce must grow at a rate of 145% globally to keep pace with the current demand.
Greg Touhill, ISACA board director and president of Cyxtera Federal Group, indicates that the evolution of security's defense-in-depth technology has helped lead to this conundrum. “We invested in a strategy of defense-in-depth, so we added another layer upon another layer, and all of these layers cost tremendous amounts of manpower,” he says. He also adds that a lot of highly skilled talent for each tool and platform gets added to those layers.
Traditional AppSec Requires Security Experts
Traditional application security (AppSec) approaches that leverage static application security testing (SAST) and dynamic application security testing (DAST) necessitate that DevOps teams become security experts. Indeed, nearly three-quarters of DevOps teams are inadequately prepared to deal with the security requirements of AppSec. Additionally, with threats growing in volume and velocity as well as sophistication, this gap is only increasing.
Beyond the above, measured in terms of code developed and the speed of releases, DevOps teams have little interest in learning new cybersecurity skill sets and becoming security experts. As a result, unable to deal with the security challenges of their DevOps environments, security and development teams turn to hiring DevSecOps staff. And even if they are able to find and recruit these specialized staff members, organizations are faced with higher security and development staffing costs.
A Rethink of AppSec Is Required
Much has been written about what can be done to address the cybersecurity skills shortage. Recommendations range from tapping lateral occupational/industry sources of talent such as military veterans, focusing more on STEM education in K-12, creating more academic degrees and programs in higher education, and more. Yet, little progress is occurring—things seem to be getting worse if you read some of the latest reports.
DevSecOps is no different than other security sectors. The situation necessitates a rethink of AppSec. Rather than seeking out DevSecOps specialists, the solution resides within DevOps teams themselves. A new approach that combines SAST, DAST, software composition analysis (SCA), and interactive application security testing (IAST) breaks down the silos separating different security tools and processes. The ability to manage AppSec from one platform can save security and DevOps teams a huge amount of time—not to mention frustration.
Getting the right AppSec platform in place extends beyond a centralized console and integrated toolsets. Traditional AppSec tools require specialized security expertise to identify vulnerabilities and to verify their remediation—from development to production. Developers simply do not have the time to learn this level of security expertise—not to mention manage the workflows associated with them. Contrast Security solves this challenge by embedding security within the application through instrumentation. This same model was implemented with application performance monitoring solutions like New Relic and AppDynamics that also are embedded within applications and deliver continuous monitoring.
An AppSec platform powered by instrumentation such as the Contrast DevOps-Native AppSec Platform automates vulnerability identification as well as the verification of vulnerability remediation. This saves both development and security teams substantial time cycles. In addition, because security is integrated into the application, security no longer needs to disrupt coding and release cycles. And when it comes to the cybersecurity skills shortage, this no longer is a factor for AppSec. Developers can manage vulnerabilities directly within the application with no security expertise required. AppSec is democratized. As a consequence, developers can manage AppSec themselves without the security team needing to hire hard-to-find, specialized DevSecOps staff.