Some CISOs are turning the security skills shortage into an opportunity
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements for both security and development teams.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
