Some CISOs are turning the security skills shortage into an opportunity
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.

Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements for both security and development teams.
Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.

As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.

Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.
They know security risks are increasing, but many can't see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.
One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.
"Our security team isn't large enough for the size of our engineering team or company."
"Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents."
"Our security experts are too busy fighting fires to keep up their skill development".
This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where "lack of competent in-house staff" topped all other forms of CISO cybersecurity concerns for 2018.
This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.
One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, "Out of adversity comes opportunity." Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.
One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the worlds major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
It doesn't mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.
To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.
One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country's top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.
Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.
If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations _....
Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements " for both security and development teams.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
In this research paper, Secure Code Warrior co-founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., along with expert contributors, Chris Inglis, Former US National Cyber Director (now Strategic Advisor to Paladin Capital Group), and Devin Lynch, Senior Director, Paladin Global Institute, will reveal key findings from over twenty in-depth interviews with enterprise security leaders including CISOs, a VP of Application Security, and software security professionals.
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
Finding meaningful data on the success of Secure-by-Design initiatives is notoriously difficult. CISOs are often challenged when attempting to prove the return on investment (ROI) and business value of security program activities at both the people and company levels. Not to mention, it’s particularly difficult for enterprises to gain insights into how their organizations are benchmarked against current industry standards. The President’s National Cybersecurity Strategy challenged stakeholders to “embrace security and resilience by design.” The key to making Secure-by-Design initiatives work is not only giving developers the skills to ensure secure code, but also assuring the regulators that those skills are in place. In this presentation, we share a myriad of qualitative and quantitative data, derived from multiple primary sources, including internal data points collected from over 250,000 developers, data-driven customer insights, and public studies. Leveraging this aggregation of data points, we aim to communicate a vision of the current state of Secure-by-Design initiatives across multiple verticals. The report details why this space is currently underutilized, the significant impact a successful upskilling program can have on cybersecurity risk mitigation, and the potential to eliminate categories of vulnerabilities from a codebase.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Resources to get you started
Revealed: How the Cyber Industry Defines Secure by Design
In our latest white paper, our Co-Founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., sat down with over twenty enterprise security leaders, including CISOs, AppSec leaders and security professionals, to figure out the key pieces of this puzzle and uncover the reality behind the Secure by Design movement. It’s a shared ambition across the security teams, but no shared playbook.
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.