Filling the Skills Gap for Effective DevSecOps

The Rise of DevSecOps
While DevOps accelerates agility and scalability of organizations, it may also expand risks of threats—particularly if security is an afterthought in an organization’s cloud strategy. In a recent survey, 52% of companies admitted to scaling back security measures to meet a business deadline or objective. Similarly, 68% said their CEOs demand that DevOps and security teams prioritize accelerating business processes.

Even when organizations race to release updates despite security consequences, the threat landscape is becoming more complex, faster and automated. In the third quarter of 2018, FortiGuard Labs noted almost 34,000 new malware variants—a 40% increase over the second quarter and a 126% increase over the first quarter. Cyber criminals now use advanced technologies such as artificial intelligence (AI) and swarm technology—as well as DevOps itself—to create single-use malware that targets a particular organization across several points of the attack surface.

Thus, companies have realized that security must be woven into the DevOps approach–hence the birth and rapidly increasing adoption– of DevSecOps.

The Security Skills Gap
At the same time that organizations are embracing DevSecOps, the paucity of skilled IT talent persists. A report from 451 Research on the IT skills shortage notes organizations are facing talent gaps across a range of IT specialties, including database administration (31%), general network administration (36%) and server/systems administration (43%).

The dearth of seasoned cybersecurity professionals looms even larger, with an estimated skills gap of just under 3 million individuals. Understandably, 53% of respondents to a report from ESG admitted to a significant shortfall of cybersecurity skills at their organization. These figures represent the general cybersecurity personnel needed to support and secure traditional network environments, to say nothing of DevOps.

Overcoming the Hidden Challenges
In DevOps, any security implementation that hinders speed will be seen as a threat to their primary objectives. Traditional IT teams and DevOps teams are often at odds here. IT will suggest the use of security tools that DevOps sees as causing bottlenecks, which runs counter to their primary objectives. However, while DevOps may be highly proficient at building applications, they often lack the expertise and skills to do so securely.

An answer to this challenge is to add a cybersecurity specialist to each DevOps team to create a DevSecOps team. This DevOps security specialist (or team of specialists) can guide application developers through the shared responsibility model, helping them stay on track with both development and security requirements. They’re also there to provide strategies for consistent security policies across and between all their cloud workloads and services, all while protecting the DevOps mission of reliability and high performance.

With DevSecOps in place, the team can choose, implement and manage tools that will better equip them to meet the goals of speed and security. Take, for instance, the use of security solutions that are offered as a service (SaaS) or web application firewalls, which can auto-scale. That allows publicly facing web apps to grow as needed, without compromising security. The right tools can also be eased into deployment with minimal effort. Some even have built-in functions that cover security during deployment, maintenance, scaling and for all the fine-tuning that needs to take place throughout ongoing use and development.

Once an organization has augmented DevOps with DevSecOps, teams can integrate security from day one of each new project. DevSecOps team can also develop the necessary cloud security playbooks and ensure that those guidelines are followed. DevSecOps can even directly affect the bottom line when they help prevent violations against regulatory requirements and the fees and penalties that come with them.

Closing the Gap
The fact remains, though, that good skills are hard to find. This makes it harder to have a DevSecOps team in place. Applications being built in or migrated to the cloud need to be protected against new threats that propagate across workloads—and from cloud platform misconfigurations at the user interface and application programming interface levels.

Addressing this challenge requires a concerted effort on the part of both the private and public sectors to develop just-in-time training and education programs to develop cybersecurity skills that are critical for every organization, and furthermore educate for cloud security and DevSecOps practices. More and more organizations are in need of training programs that focus on the cloud security skills necessary to upskill their current and future workforce.

Failure to understand and implement a security strategy can make an organization susceptible to policy and enforcement gaps, as well as risk to business continuity and digital operations, which can determine whether or not your organization is able to thrive in today’s digital landscape.

Proactive DevSecOps
As organizations evolve from DevOps to adding a DevSecOps practice, the talent shortage continues to loom large. This shortage could pose significant security risks to your organization. But, you can play an active role in bridging the skills gap by identifying training programs and certifications available for your teams focused on security. Employees completing these trainings and earning relevant certification can then work with IT security and DevOps teams to provide the security that enables the speed you need to remain competitive.