Skills Gap Perspectives
This is a summary of an article written for DevOps.com by Lior Cohen, Senior Director of Products and Solutions for Cloud Security at Fortinet. The entire article can be accessed here.
DevOps can be instrumental in accelerating the scalability and agility of organizations. But because few DevOps professionals have adequate security experience or training, it can also expand the risk of threats. And while some organizations are committed to building more secure cloud environments and applications, one survey revealed that 52% of companies scale back security measures when faced with particular business objectives or strict deadlines. And another 68% reported that their CEOs have been known to prioritize business process acceleration over security.
As organizations race to release application updates with little to no consideration for the security implications, the threat landscape continues to grow increasingly effective and complex. Cybercriminals are effectively finding and exploiting the security gaps that inherent in DevOps processes and do not secure a top priority. And by corrupting the cloud tools that DevOps teams use, attackers create malware targeting an organization across several attack points even as an application is being developed.
With this in mind, some organizations have begun to understand that security must be woven into the DevOps approach. This has resulted in the new and growing field of DevSecOps.
But while organizations increasingly embrace DevSecOps, the scarcity of skilled IT professionals persists, creating a significant roadblock for achieving the objective of a secure DevOps strategy. A 451 Research report notes that organizations face a considerable lack of qualified professionals in IT specialties like general network administration (36%), server and systems administration (43%), and database administration (31%), among others. This is especially true when it comes to cybersecurity professionals who also have DevOps experience.
The shortage of experienced cybersecurity professionals is estimated at just under 3 million people. This issue is highlighted in a survey conducted by ESG, where 53% of respondents reported significant deficits in cybersecurity skill sets within their organizations. Considering this data represents the general cybersecurity challenge of finding personnel to secure and support traditional network environments, one can only imagine where DevOps stands in relation to the cybersecurity skills gap.
Another DevOps challenge is that there is a common misperception that security implementations hinder the speed of development, and is therefore seen as a threat to their main goals. This is where IT and DevOps teams struggle to see eye to eye. Often, IT team will recommend the use of security tools or the implementation of security measures that the DevOps team often interprets as a bottleneck running counter to their primary objectives. And they may sometimes be right, as IT may not have the skill level necessary to understand the challenges of DevOps processes. However, the need for security remains, and despite their proficiency at building applications, DevOps teams often lack the expertise needed to do their jobs securely.
Adding a cybersecurity specialist to every DevOps team can address this challenge. This specialist (or team) can guide application developers to establish and abide by both security and development requirements. They can also provide strategies to ensure consistent security policies throughout all cloud services and workloads, while maintaining DevOps’ principal mission of fast development, high performance, and reliability.
Once DevSecOps is in place, the team can select, implement, and manage tools that will help them achieve the twin goals of security and speed. One example of this is learning how to implement Software-as-a-Service (SaaS) security solutions or web application firewalls that feature auto-scalability, enabling public-facing web applications to grow as needed without compromising security. With the right tools in place, DevSecOps teams can maintain a deployment schedule that requires minimal effort, as well as implement built-in functions that cover security during the deployment, maintenance, and scaling phases of development.
By transitioning DevOps to DevSecOps, teams can incorporate security from the inception of all new projects. This includes the development of relevant cloud security playbooks by DevSecOps teams as a means to ensure adherence to essential guidelines. By helping to prevent violations of regulatory requirements, as well as associated fees and penalties, DevSecOps teams can have a direct impact on the bottom line, further demonstrating the value of adding a security component to development to organizational leaders.
Despite the benefits of DevSecOps, the cybersecurity skills gap remains a looming presence that makes it challenging to build a qualified team. But despite the shortage of talent, applications developed in or being moved to the cloud still need be protected from novel threats circulated across workloads. They should also be safe from unsecured platform configurations, both at the user and application programming interface levels.
Organizations that fail to understand and implement security strategies are prone to policy and enforcement gaps. They also increase the level of risk facing their digital and business continuity operations, both of which largely determine how well organizations can thrive in the current digital landscape.
To address this challenge, private and public sectors must work together to develop education programs and/or just-in-time training, building the critical cybersecurity skills every organization needs from the ground up, if necessary. This should include developing best practices, establishing baseline requirements, and selecting team members to be trained in DevSecOps and cloud security best practices to establish a mentoring program within an organization. Such strategies will not only protect DevOps strategies now, but also improve the competence of both the current and future workforce.
As businesses seek to transition from DevOps to a DevSecOps practice, the talent shortage continues to loom, posing significant security risks across organizations. However, these same organizations can proactively bridge the skills gap by enriching their IT teams with relevant training programs and certifications. Employees that complete these programs and earn the necessary certifications can begin to not only work with both DevOps and IT teams to offer security, but create a climate where security functions alongside speed and high performance functionality to will keep businesses competitive.
Learn how Fortinet’s dynamic cloud security solutions enable organizations to deploy any application in any cloud.
Find out more about Fortinet’s NSE Training Institute programs, including the Certification Program, Security Academy Program and Veterans Program, which provide critical cybersecurity training and education to help solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.