Why the industry needs to upskill its existing staff

The cybersecurity workforce continued to grow last year, adding more than 700,000 professionals to its ranks. While this growth is undoubtedly exciting, the cybersecurity workforce gap remains substantial, with more than 2.7 million positions still unfilled, according to the same report.

(ISC)²’s most recent cybersecurity workforce study says that the global cybersecurity workforce needs to grow by 65% to defend organizations’ critical assets effectively.

As has been the case for more than a decade, there’s insufficient cybersecurity people power. Perhaps more importantly, the cybersecurity market must multiply to meet demand, let alone catch up.

This leaves organizations in an untenable situation. They must compete for top talent in a competitive market, while retaining skilled in-house employees. The ability to fully staff cyber positions becomes incredibly difficult and expensive to pay the market value in many cases.

So, what do organizations do? Has the time come to throw in the towel for security? Not quite.

A pivot to an important asset

The most valuable part of any organization is its current staff. Each organization has developers with the untapped potential to take more responsibility for cybersecurity within their role. While organizations may lack direct cyber talent, these developers offer an opportunity for cybersecurity upskilling investment.

In-house developers can improve cybersecurity. They can transform existing code and add security features and protocols that raise an organization’s overall security posture and security hygiene practices. The missing piece has typically been training. These developers simply need the time, opportunity, and hands-on curriculum to institute modern security best practices.

For many organizations, this shift toward developer investment offers an alternative route to improved security. It could take months or even years to find the proper cybersecurity professionals. This provides another path to success.

Improvement comes from the top

Developers already serve on the front lines of defense for their organization, although many leaders overlook this aspect of the role of developers. The problem comes in balancing organizational priorities as often security gets placed behind other tasks in the software development lifecycle. As a result, to meet condensed deadlines, developers inadvertently introduce security vulnerabilities into what they create.

In our recent survey, just 29% of developers believe they should prioritize the active practice of writing code free of vulnerabilities. The same study also found that 20% of developers say they don’t think they’re receiving enough training or guidance on implementing secure coding from their managers.

Developers will follow the demands of their roles. If managers do not prioritize security as part of developer KPIs, they will see it as another department’s problem or bypass it altogether. The software development cycle gets shortened to speed up the delivery time.

How to approach upskilling

Organizations need to apply a layered approach to empower and enable their developers to learn and apply new skills properly. Organizations should look at progressive learning pathways, where more prominent topics are broken down into discrete learning experiences or concepts.

Instead of one long training session, students get the opportunity to master each concept using appropriate exercises and instruction. Like a scaffold, these concepts build upon one another. Students can achieve higher comprehension and skill acquisition levels in a shorter period while progressively learning more advanced skills. When developers receive proper training, they can better see how security bugs happen, why they are dangerous, and how to remediate them before they are in production.

The lack of cybersecurity professionals has become a constant challenge. We may never have enough skilled cyber personnel to properly protect organizations and applications. As organizations wrestle with this challenge, they should look to their developers to close the gap and empower them to focus more on security. We’re not talking about pushing new training on developers, but empowering them to learn new skills that can change their role in the company and make themselves more valuable.

Pieter Danhieux, co-founder and CEO, Secure Code Warrior