Insights into the cybersecurity skills gap
In a poll taken at a recent Imperva webinar, What’s New in ‘22? Cybersecurity Trends and Predictions, participants said it’s easier to turn security practitioners into cloud professionals by a margin of 65-35.
Three Directors in Imperva’s Office of the CTO discussed the issue in some depth.
Brian Anderson: It’s always an interesting dynamic between security professionals and application developers. Developers have lofty ideas about adopting the latest technologies, but they don’t necessarily have a security focus, so security can be seen as a kind of “un-enabler” to the business. Security often tells the developers “go redesign your stuff to comply with this standard.” How do you reconcile these things? It’s a big challenge.
Joe Moore: Your introduction into software or applications development may dictate which way you lean here. As we see applications moving into the cloud we are seeing application teams starting to have to deploy networks and virtual environments and as a result, they tend to grow more into the cloud practitioner model rather than the security practitioner model.
Peter Klimek: Ideally, everyone that is involved in the development lifecycle process should have the ability to deploy infrastructure as well as have an awareness about what to do about security. In reality, however, this is not always the case. This is especially true for people who start learning to be developers first. I often work with customers that get excited to deploy a new web application and their entire focus is on how much traffic the app will generate. In the development lifecycle process, they don’t stop to think about engaging security early enough. To counter this, some of these customers will engage a model in which they’ll employ a “satellite person” who works as an extension of a development team to enable the developers to maintain an essentially secure organization. Not everyone does this because it’s not the easiest thing to accomplish. Attracting and retaining industry talent that has both skill sets and sees development and security as kinds of merged skills is a better approach when possible.
Brian Anderson: This brings us to the current talent-hiring landscape. If you are one of the “big boys” that has many offices and thousands of remote workers, the landscape is a bit more favorable. For small to medium-sized companies, it’s very difficult to get top talent that features both skills sets. In that context, how do you enable your organization to overcome this challenge? From my personal perspective, you make it a priority to hire very good developers because that is the easiest path, then you enable them to develop strong security awareness along the way. This would go a long way to overcoming the challenge of not having the budget to attract top security people. So in the end, I think it’s easier to bring in cloud developers and enable them to build security skills than to attract security practitioners and make them cloud professionals.
Joe Moore: I’m going to take the opposite position here, purely because it is easier to turn security practitioners into cloud professionals. My specific reason for saying this is that there is a certain security mindset that everyone possesses. A healthy level of paranoia, if you will. And many cybersecurity leaders have played the “Chicken Little” role for so long, screaming from the rooftops that the sky is falling with regard to the lack of security expertise in organizations and nobody believed us. Then when the sky really was falling, everything that we said was going to be bad turned out to be true. Look at the log4j Remote Code Execution recently. These are the types of things where I think security practitioners have that healthy kind of paranoia that makes it easier to turn them into cloud practitioners. Later, teach them the fundamentals, put them through certification programs and things like that. How do you instill that paranoia into someone that’s already a cloud practitioner? I don’t know. Maybe you just peel back the covers and show them what it looks like on the inside.
Peter Klimek: I agree that it’s best to have that healthy paranoia and then go into the development mindset. One of the challenges we see is, as a practical matter in the industry, finding good security practitioners that are able to take on and master the development skill set is hard. Security and development seem to be a “left brain, right brain” kind of thing. It’s hard to get top talent that can do both and enable them. Are there enough people out there to recruit and hire to fill all the dual roles that need filling? I don’t think so, and that would be the argument against it.
Brian Anderson: I would say that the healthy paranoia often prohibits the business model from doing what they are ultimately trying to do: generate revenue. Developers build a “don’t get in my way” mentality. You have made a very good case, but I’m still going to stick to my original opinion.
Peter Klimek: Right now, all these skills are blending together and the line between one skill set and the other is becoming more blurry. In cloud environments, both public and private, the issue is becoming much more complex. But that said, I think there’s a bigger vacancy of security professionals than there is for developers and that says a lot.
For more on this discussion and many more insights into what to look for in cybersecurity in 2022, watch the on-demand webinar.
Try Imperva for Free
Protect your business for 30 days on Imperva.