Some CISOs are turning the security skills shortage into an opportunity
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements for both security and development teams.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
.png)
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.
