For years, security leaders have been talking about the cybersecurity skills shortage. In 2014, a RAND Corporation study found that the nationwide shortage of cybersecurity professionals – particularly for positions within the federal government – created risks for national and homeland security. “It's largely a supply-and-demand problem," said Martin Libicki, lead author of the study and senior management scientist at RAND. "As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time," said Libicki.
The demand for cybersecurity professionals began to overtake supply in 2007, largely due to increased reports of large-scale hacking and other advanced persistent threats, said Libicki. Since 2014, the demand has only grown and more organizations (74 percent) continue to be impacted by the skills shortage. To close the gap, (ISC)² estimates that 4.07 million cybersecurity professionals are needed, or an additional 145 percent. Currently, there are only 2.8 million professionals.
The security industry, says Pieter Danhieux, Secure Code Warrior CEO and Co-Founder, needs to recognize there is a need for a strong security culture, where developers are empowered to learn to code securely. This, he contends, can turn the security skills shortage into an opportunity.
Addressing the Cybersecurity Skills Gap
“Globally, we are producing an enormous amount of code to fulfill our insatiable appetite for rapid digitization and innovation. Approximately 111 billion lines of code are created each year, and this is only set to grow. More code means more vulnerabilities, and the industry is struggling to meet the demand for cybersecurity expertise,” Danhieux says.
Leaders must approach the issue differently, he says. “With attackers only needing small opportunities to orchestrate a damaging data breach, coding securely must be considered a top priority. The “skills shortage” battle is unwinnable if we are only looking towards highly trained, expensive application security (AppSec) specialists to deal with security problems. There will never be enough, so we must look at the issue from many different perspectives.”
To turn the security skills shortage into an opportunity, he says, leaders within organizations and universities should start empowering developers to learn to code securely. “AppSec specialists are scarce and expensive. They should be focused on very complex security issues; however, the constant flagging of common vulnerabilities that have had a remedy for decades often bogs them down.”
These issues, Danhieux says, would not enter code in the first place if developers were security-aware and adequately trained to find and fix these common problems. Universities, for instance, “teach developers how to think and design code; however, security is briefly touched on,” which leads developers to introduce problems without their knowledge, says Matias Madou, Co-Founder of Secure Code Warrior.
“It is far cheaper, more efficient and safer to secure code from the start of the system development life cycle (SDLC), and that means turning developers in to the first line of defense,” notes Danhiuex.
For developers to write secure code, training that is more in-depth, engaging and relevant to developers’ day jobs must be implemented. “With the sheer amount of breaches happening every other day, it’s clear that most security training is inadequate at the developer level and they are not equipped with the tools, nor the knowledge, to be successful in coding securely,” he notes.
Upskilling and Retention Are Important. Here’s Why
Tertiary education for software engineers rarely includes in-depth security training, and most organizations do not adequately provide it either, says Danhieux.
“Security is not a priority in the busy world of a developer; they are tasked with delivering beautiful, functional features to strict deadlines,” he says. “Enterprises should seek to lighten the load on security experts by providing engaging, useful training that helps them catch vulnerabilities before code is committed. The right training “upskills” an average developer into a security-aware developer, and that is a positive for the individual and the organization. Building a great security culture with a focus on end-to-end awareness is critical.”
Enterprises should also rely on a Software as a Service (SaaS) platforms, such as Secure Code Warrior’s SaaS platform, that create a hands-on, interactive language and framework to engage their developer in their learning process. In turn, this will enable developers with the tools and modules they need to code securely.
Retention is also important, as well, says Danhieux. “Teams with high turnover often don’t get many opportunities to bond as one, collaborate effectively and work towards a common goal. Retention of great employees can help organizations stay agile and keep company culture in-check,” he says.
Danhieux notes that every team should understand they are valued for what they do, through positive reinforcement, feeling “looked after” through company activities and being part of an empathetic environment that is non-judgmental, supportive and flexible.
Competing With Better Salaries
In 2018, (ISC)² revealed that only 15 percent of cyber professionals were not looking to switch jobs, leaving 85 percent of the cybersecurity workforce open to new opportunities. Those valued cybersecurity professionals are contacted various times per month (34 percent) and others are contacted many times during a day (13 percent) by aggressive recruiters.
Often times, cybersecurity professionals find it hard to compete with better salary packages, which may contribute to why these professionals were looking to switch jobs. Danhieux contends that if organizations cannot compete on salary packages, they need to find other ways to add value. “Can you offer training that helps their career path, develop mentorship programs or the opportunity to learn new skills?” he says.
“Flexibility is also very important to many people. Remember: office visibility from nine-to-five does not guarantee productivity,” he notes. “Employ people you trust in the first place to deliver while working from home, or working around personal appointments. At Secure Code Warrior, we also have an “Infant-At-Work” policy that assists new parents in returning to work sooner without the expense of childcare.”
Finally, it is important to note that salaries might not be deal breakers for many cybersecurity professionals. (ISC)² found that cyber professionals want to work where:
- Their opinions are taken seriously.
- Where they can protect people and their personally identifiable information and data.
- An employer adheres to a strong code of ethics.
In addition, implementing clearly defined ownership of cybersecurity responsibilities, viewing cybersecurity as more broadly than just technology and providing training opportunities can help retain valued employees.
Overall, organizations should always make it a priority to “let people be themselves and enable their best work,” Danhieux says.