For the last 5-10 years, we’ve all heard a lot of talk about the global shortage of cybersecurity talent. It’s an issue that’s plagued the industry for years, and according to (ISC)², a nonprofit for information security leaders, the security industry would need more than 3 million skilled professionals to close the skills gap. That’s a whole lotta people.
The shortage is due to a variety of factors, ranging from a lack of advanced skills to a limited number of professionals entering the field in the first place. And the expanding threat landscape only exacerbates the problem. Qualified security professionals are spread too thin, and turnover is high at companies across the board from tech start-ups to corporations to government agencies. Also, most security teams spend more time managing security tools than actually hunting and eradicating adversaries, which is caused by the archaic way security vendors continue to deliver security outcomes (via hardware and software), which I’ve covered in this post: [insert title and link]
So, how exactly are developers, who generally aren’t security experts, going to help close the gap?
Before we address the question, it’s important to walk through why variations of (really) the same two training-oriented solutions the industry continues to push, aren’t working.
- Let’s develop more cyber warriors through higher education: One frequent suggestion is developing better cybersecurity programs at colleges and universities – and more of them. Well, that’s going to take a long, long time. And, as we know, academia is no substitute for frontline experience.
- Let’s train non-security technical staff on cybersecurity: The inherent issue with this approach is not only, “are the staff even interested in security?” but the lack of appreciation for the attributes most talented security professionals possess – curiosity, attention to detail, commitment to mission, just to name a few.
These low-and-slow solutions have major flaws – they take too long and we’re simply “training” more people to become defenders. I think there is a far more efficient and effective way to slow down the attackers and reduce the need for millions of new cybersecurity resources.
Focus on where the problem originally manifests itself
A few obvious points I’d like to make. Today, most security vendors sell hardware and software-based solutions, which are then operated by a company’s security or network team team or a third-party managed service. At the end of the day, these solutions are used to detect, prevent, (or whatever other buzzword is trending) hackers from doing nefarious things. “Nefarious things,” in most cases, involves exploiting software vulnerabilities.
Call me crazy, but if most adversaries are exploiting software vulnerabilities, wouldn’t it make sense for us (the security industry) to focus more of our time and attention on improving and enabling the security of the applications?
And wait…while there are only (roughly) 3.5 million cybersecurity professionals worldwide, there are exponentially more software developers – approximately 86 million on just Github and Gitlab alone, as of the writing of this article. I think it’s safe to assume software developers also have a vested interest in protecting the software they’ve built.
So rather than trying to recruit and train millions of new cybersecurity experts, what if we also enable the existing population of software developers to build security controls directly into their products via APIs, without having to become security experts?
The future is spelled A-P-I
For the most part, the tech world has embraced the use of APIs. Look no farther than Stripe and Twilio for shining examples of that. But the security industry is lagging way, way behind. If security vendors start building API-based security tools for developers rather than purely for security professionals, it would eliminate some of the responsibilities from overworked security teams and shifts security left to the massive population of developers who are already familiar with APIs. This would free up security teams to work on higher-level strategy and (bonus) it would result in more secure applications.
I’m by no means suggesting that we shouldn’t develop more security talent – we should. I’m simply suggesting that the security industry deliver solutions that can be integrated directly into applications, enabling customers – and tens of millions of developers around the world – to integrate security directly into their products.
Yes, this would require a massive mindset shift and more API-first security solutions, but I believe it will curb the impossible-to-fulfill demand for security professionals, by enabling a far larger population of software developers to join the fight against evil and build more secure applications.