And it wasn’t the only concerning statistic to come from the study. In a skills level analysis carried out, fails were in the 70% margin for every category. More generally, only 0.97% of the 11,000 surveyed are considered ‘in demand’ and only 12.74% are deemed employable.
“We’re talking about a country with a huge amount of development power where the world is looking to outsource to”, Bavisi told Infosecurity. “I imagine the results would be similar in any country as it’s an industry-wide issue. We have turned a blind eye to secure coding, giving developers the ability to develop machines without caring if they’re safe or not. That’s shocking”, he declared.
When asked his opinion on why securing coding practice is not given more emphasis, he named a lack of regulatory requirement, delivery delays, absence of financial benefit to do so, and CISOs. He explained the basis of this accusation to Infosecurity at the Hacker Halted conference in Atlanta.
“Why do colleges get away with producing developers who have no clue about security? Because development houses are employing these people without making the demands. Why do they get away with it? Because their clients don’t demand it. Why don’t the clients demand it? Because the leadership don’t demand it. And the leadership is the CIO or CISO.” CISOs and CIOs are partly responsible, Bavisi re-iterated. “They often think their job is to maintain security after the fact. In reality, they should be proactive. There needs to be a complete 180 degree turn.”
“Clients aren’t demanding [secure coding], insurance companies are not awarding a bonus on premiums if systems are secure. No-one’s asking for it and that’s the biggest flaw”, said Bavisi.
If only one or two large development companies began to require secure coding, the entire landscape would change, argued Bavisi. “Someone needs to be a leader in this field, and employ all certified secure developers. We keep inventing broken stuff and then being expected to fix it”, he said.
Building secure coding into academia is also integral to changing the landscape, explained Bavisi further. “Foundational blocks should be placed, and then certification should be there to provide an industry benchmark and make the person employable and current.”
While there are concerns in the information security industry that the profession is not seen as desirable enough to attract new talent, Bavisi is confident that the increasingly frequent headlines making national news and Hollywood shows like CSI help. “Cyber pays higher than a typical IT job too, which helps.”
| And in his keynote... |
|
Jay Bavisi also presented the keynote at Hacker Halted Atlanta, where he compared infosec to the Great Plague in England of 1665. “[Our industry] has tried quarantine and tried cyber hygiene but we’re still not winning the war. We’re losing. Next, we need to build a vaccine. Our ethical hackers are our active immunization and out secure code is our passive immunization.”
|