As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software.
After just a few minutes of browsing tech news, it will quickly become clear just how dangerous the threat landscape is becoming. Every day seems to bring with it a report of a major breach, a new vulnerability, or a dire threat of active exploitation by cyberattackers and criminals. And almost every industry metric and report shows an increasingly dangerous number of cyber threats, with most experts predicting that this trend will continue for years to come.
Lined up against these new threats is a depleted and understaffed frontline of IT security workers. Despite commanding high salaries and being nearly indispensable to any business or organization, there is never enough security personnel to go around. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. In just the United States alone, the report noted that there were more than 520,000 unfilled cybersecurity jobs in a field where only about 940,000 are employed.
Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, meaning that even organizations that are willing to pay huge amounts of money to hire and retain top-level professionals are having trouble locating suitable candidates. On average, it takes about 21% longer to fill a cybersecurity position than any other job, if they can be filled at all.
We noted in many previous blogs that developers can be tapped to fill in some of those critical gaps in cybersecurity defenses. It’s just that traditionally developers were never trained on cybersecurity. Their job performance was almost entirely based on speed and time to deployments. Security was the job of the AppSec teams further down the line.
Unfortunately, it’s not just a matter of switching gears and asking developers to suddenly begin adding security into their applications and programs. Even if they are willing to make those changes, and surveys have shown that many of them are, they still need training in order to make that happen. They also need encouragement and support from upper management, but being enabled with meaningful learning is the first, and often the largest, stumbling block.
There is a reason that millions of high-paying, highly secure IT security positions remain unfilled worldwide. If it was easy work, everyone would be jumping into that field. Learning how to combat threats and eliminate vulnerabilities within code is difficult, and the threat landscape is constantly changing. Trying to teach cybersecurity, even to relatively tech-savvy developers, can’t be efficiently done using static training that dates quickly and isn’t memorable, and will have a minimal positive impact, especially if those requirements are added to their already overtaxed schedules.
Teaching cybersecurity skills using traditional methods is like trying to build a skyscraper without ever taking your feet off the ground. It’s not possible because students don’t have the foundation needed to master the many higher-level concepts of a complex field like cybersecurity. To compensate, the concept of scaffolded learning can be employed.
When using a scaffolded, or “layered” approach to upskilling, larger topics are typically broken down into discrete learning experiences or concepts. This ensures that students are able to master each concept using appropriate exercises and instruction, providing all the support needed for each component. Newer, more advanced concepts are layered on top of those already mastered, just like physical scaffolding is constructed as a building grows higher. In this way, students are able to achieve higher levels of comprehension and skill acquisition than they would be able to master without assistance.
And just like physical scaffolding, that support is incrementally removed when it is no longer needed, with more responsibility to the students as they become increasingly proficient.
Scaffolded learning is primarily used to reduce the negative emotions and self-perceptions that students may experience when they get frustrated, intimidated, or discouraged when attempting a difficult task without assistance. But it also can hold a lot of value when trying to tackle an extremely difficult concept like modern cybersecurity. Far from being a way to treat developers like children, it’s immensely helpful when their experience with the security team can have the same effect of being frustrating and discouraging, especially when their hard work is sent back with bug fixes and a fresh serving of criticism.
When developers are given tools to understand secure coding fundamentals (usually starting with the OWASP Top 10), they can see for themselves how security bugs happen, why they’re dangerous, and how to remediate them before they end up in production. From there, they can expand their knowledge by tackling more complex vulnerabilities, and getting practical experience in applying good fixes. The layers grow, bit-by-bit, and then when it comes to advanced security issues like insecure software architecture, or engaging in threat modeling, these leaps don’t seem so intimidating and can be tackled with precision.
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software. As an added bonus for organizations with engineering who are upskilling, each step of the way, or each level of scaffolding, will directly translate to better cybersecurity as they learn. There is no need to wait until the end of a course to see results.
Learning about cybersecurity is difficult, and mastering it is nearly impossible without the right kind of help and instruction. Embracing a security program with scaffolded learning can help make the most of, with benefits becoming evident almost right away. Improvements will start almost immediately, and continually get better over time.