The issue of the lack of workers in the Cybersecurity field
is going to be one that plagues 2022 probably even more so than last year. With more sophisticated threats coming out
day by day, companies need to hire workers quickly in order to come up to speed.
As I have said before, its not there are not enough people
to fill these jobs. It’s just that companies
want that cookie cutter Cyber consultant with every cert under the belt.
The problem here is that nobody wants to train these much
younger candidates, even if it means on the job training. There are many job titles which need to be filled,
and now there is a new one that has just cropped up: The need for software developers that know how
to write secure code.
One would think that a recent graduate from a reputable computer
science program would be taught in their courses in the principles of how to
write some baseline level of secure code.
But very often they are not, and the culprit here are the computer
science professors themselves. Rather
than devoting to quality instruction, many of them just want to do their research.
Which is fine of course, if that is what they choose. But critics have pointed out that if a
professor is assigned to teach a computer science in programming, then they owe
it professionally to their students to spend some of that time in teaching the students
how to write secure code.
Because of this, it has been found that at least 76% of all applications
by software developers have experienced at least one major security flaw. More information about this can be seen at this
link:
https://www.veracode.com/state-of-software-security-report
From this report, there are other factors that have been
cited as to why there is no training in this regard at the collegiate level:
*Professors simply do not know anything about secure
software coding principles;
*If they do know something about it, their focus is more on
protection rather than teaching as to how a Cyberattacker can actually manipulate
a Web app and break in from the weakest point, such as that of a Trojan Horse,
or a SQL Injection Attack, as examples.
The study (from the link above) also concluded that as much
as there is a gap between the unrealistic cookie cutter job descriptions and
the candidates that are out there, there is also a gap that exists between academia
and the real world of Cybersecurity. But
the latter is an issue for an article at later point in time.
So what can be done to resolve the problem that we have now,
which is the lack of software developers that have some basic training in
secure coding? Here are some ideas:
1)
Train ‘em:
If you have found a candidate fresh
out of college with hardly any training in secure software coding, and if they
are excited and you think they have potential, snag ‘em up. Train them in the ways that you think secure
coding should be done, and if you don’t know much about this, then get somebody
from your IT Security team to get heavily involved in the early stages of this training
to the newbie. By showing that you are
taking this extra time for training, not only will the newbie be more motivated
to learn, but there will probably be a much higher chance that they will be
loyal employees, and stick around with you for the long haul (this is also
another problem that the Cyber industry is having – employees bailing ship for
a higher paying job). But, keep in mind,
try to keep this training exciting to some degree. Don’t make into some boring college lecture. Use the same principles that you have adopted
to create a great Security Awareness Training program and use them here as
well. Now, this is all in house training. You may even want to supplement this with training
from outside vendors, just as a way to add more mix to the flavor. But above all, try to keep this training with
real instruction, to make it more interactive.
Just don’t make the whole training program based on some computer
modules.
2)
Think long term:
The CISOs in Corporate America are
under constant pressure, and that vise is closing in tightly every day, making
them reach their mental breaking points quickly. Oen of the pressures they face is that they
need to get software development projects off to the client in the expected
time of delivery, for the sheer reason so that they will make payment on
it. Because of that, the excuse is often
made that they cannot afford the time to train newbies in this aspect. But here is where the risk versus reward
tradeoff comes into play. Yes, there is
risk that the project could slow down, but guess what? That cost pales in comparison to the cost if
a major security breach were to happen to that project you deliver. The client is going to point their fingers
directly at you, and you could even possibly face a lawsuit. Now, if you just could have taken some time
to train that newbie in how to write secure code, there is a good chance that
all of this could have been avoided. And if it comes to the point where you hired
a couple of new developers, and you also got a new project handed down to you,
try to bake in that extra training time into the deadline of the project.
My Thoughts On This:
Yes, it all goes back to the same issue as I have mentioned before: Companies will never find that cookie cutter
job candidate, and if they do, there is no guarantee that they will even be the
right fit for the job when they start.
Recruiters are simply basing their expectations on what they
put on paper, not what could potentially happen in the new world.
So take the risk, and hire that newbie. There is really nothing to lose, and IMHO, the
benefits far exceed the costs of doing this.
But keep in mind also that your experienced developers will have to be
at the forefront of the latest secure coding practices as well.
So make the training fun, and make it competitive so that
everybody will in the end: You, the
CISO, your employees, and your clients.
In the end, it has been cited that there is a Cyberattack
that occurs every 39 seconds to a Web based app, the cost of malicious data
exfiltration will far surpass the $424 million mark from last year. Try not to be part of these stats, by simply training
your team.
No comments:
Post a Comment