Defending your organization from cyberattacks is difficult, but the inability to find the right talent for the job can be disappointing.
Right now, there's a whopping talent gap of 4.07 million globally in the cybersecurity space as per a research conducted by (ISC)2.
It’s not likely to get better soon, as cybersecurity training from universities is not on the way.
This talent shortage affects every level of cybersecurity. While senior security experts are needed for complex tasks, like ethical hacking and threat modeling, fundamental security tasks are often overlooked.
Image source: (ISC)2 Cybersecurity Workforce Study, 2019
As per a recent study, it was found that more than 50 percent of organizations had misconfigured at least one of their cloud storage services, thereby exposing sensitive data.
Why is this happening?
Organizations know they need to protect their applications and systems. Nobody thinks it’s a good policy to leave open their systems containing information on millions of users to anyone.
The problem is there are just too few cybersecurity professionals available to protect software and systems using traditional, manual processes.
Building security into applications requires efforts
Secure development requires organizations to identify threats and risks and then build controls for risk mitigation. These tasks require the expertise of security professionals as well as the involvement of developers.
There are frameworks available to help security and development teams to build more secure software. For instance,
- The U.S. National Institute of Standards and Technologies (NIST) publishes SP800-53, a database of security controls and SP 800-95 Guide to Secure Web Services.
- The Open Web Application Security Project (OWASP) provides an Application Security Verification Standard (ASVS) to help organizations test application security controls.
- The Cloud Security Alliance provides help for organizations migrating to the cloud environment.
Similarly, regulatory standards also provide guidance to build security into software development.
- The International Organization for Standardization (ISO) publishes dozens of standards to guide organizations security efforts, including ISO 27001 for information security.
- Likewise, the Payment Card Industry Data Security Standard (PCI DSS) provides granular guidance on securing applications managing cardholder information, including testing procedures for each requirement.
Following these frameworks helps organizations develop internal policies for secure coding.
These include security requirements, threat modeling, security controls to mitigate risk, and test plans to validate that all controls are implemented properly.
The ever-changing world of technology and new regulatory standards make it necessary for the cybersecurity workforce to continuously acquire new skills. Because there are so many requirements in the cybersecurity industry, it's difficult to fill the skills gap.
Too many tasks, not enough cybersecurity experts
The problem is not that people don’t know what they could do, they simply lack the bandwidth to do everything.
For instance, tasks like threat modeling exercises can require weeks of effort from senior security and development resources. Traditional methods don’t scale and aren’t practical for anything other than the most critical applications. This leaves hundreds or thousands of other applications with security weaknesses.
When it comes to application security, most efforts to build security are inconsistent and conducted without thoughtful planning and prioritization.
What's the solution to the cybersecurity skills gap?
While continued training and hiring more security experts can help, automation is the key to scaling a security program.
Automation was successfully adopted in security testing many years ago, transforming vulnerability management from an ad hoc exercise to continuous monitoring.
Automation has transformed application security testing. Instead of manual code reviews for portions of critical applications, people can now conduct automated static and dynamic analysis of a broader set of applications.
While some validation of the results is recommended, this can be assigned to people who aren't cybersecurity experts. Automation allows senior security resources to only focus on critical applications that require additional scrutiny.
Like application testing, security requirements, policies, and threat modeling can also be automated. Rather than using more spreadsheets and run books, automation can classify projects, identify risks, and translate regulatory requirements into simple security tasks.
With a larger percentage of an organization’s application inventory covered by automation, security resources can be used as needed when a critical project demands deeper analysis.
Automation is a force multiplier
Organizations face more threats than ever, and their adversaries are better funded and more skilled than in the past. While security teams need to defend against all attack vectors, hackers need only find a single weakness to exploit.
Automation “stretches” security resources by covering repetitive tasks for which policies are established. Automation can ensure that tasks are documented and clear, allowing software security to scale across more applications. This also leaves scarce security resources available for tasks that require more analysis and expertise.
Automation also provides consistency and continuous validation. By standardizing risk identification and controls, organizations can ensure that every project uses appropriate measures and complies with policies. And by providing a centralized repository for each project along with validation tests, you can provide instant access to the status of each security control along with a verifiable audit trail.
Read our latest guide on application security to learn how you can proactively build security into software development through automation.