Cybersecurity Pros Aren't Getting the Training They Need, Including in DevOps

Written by

Despite the fact that the cybersecurity skills shortage is a well-known issue, software developers are not receiving the training they need to be successful—including in the realm of DevOps.

According to the 2017 DevSecOps Global Skills Survey, sponsored by Veracode, slightly less than half of respondents said their employers paid for additional training since their entry into the workforce – and nearly seven in 10 developers report that their organizations provide them with inadequate security training. Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study confirmed that very few are afforded the opportunity (only 4%).

“WannaCry and Petya are just two recent examples of large-scale cyberattacks that further demonstrate the importance of security in today’s exceedingly digital world,” said Maria Loughlin, vice president of engineering at Veracode. “Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science.”

Although nearly 80% of respondents have a bachelor or master’s degree – with 50% reporting that they studied and earned degrees in computer science – there is still a lack of cybersecurity knowledge prior to entering the workforce. The survey found that 70% of respondents said the security education they received is not adequate for what their current positions require, and that they’re learning their most relevant professional skills on the job (65%).

Also, as DevOps becomes the prevalent approach to building and operating digital products and services, that gap could have real impact on the security and quality of the software that underpins the digital economy. The report found that while 65% of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, 70% are not receiving the necessary training through formal education.

In security, DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes. Yet those surveyed said that their IT workforce is only somewhat prepared (55%) or not prepared (nearly 30%) with the skills necessary to securely deliver software at the speed of DevOps. In fact, nearly 40% of hiring managers surveyed reported that the hardest employees to find are the all-purpose DevOps gurus with sufficient knowledge about security testing. This poses a significant challenge, as more than 50% of organizations said that either the entire organization or some of their teams are currently utilizing DevOps practices.

“Our research with highlights the fact that there are no clear shortcuts to address the skills gap,” Loughlin said. “Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organizations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”

What’s hot on Infosecurity Magazine?