It seems that organizations are finally understanding the importance of bridging the gap between security and operations. In a survey we conducted recently, 85% of respondents said that employing SecOps best practices is an important goal for their organizations. Nevertheless, only 35% reported that SecOps is currently an established practice.
When it comes to the ideal of marrying security and operations, many are held back by a lack of expertise. The cybersecurity skills gap has created a severe talent drought in the industry, which is expected to leave 3.5 million cybersecurity jobs open by 2021.
It’s worth looking at what the qualities of an ideal security hire are in today’s business climate, and why it’s so difficult to find these types of professionals. In this post, we’ll outline the skill sets that cybersecurity professionals need to cultivate in the age of the cloud, explain why that ideal is so hard to find, and offer practical advice for moving your SecOps program forward, regardless of who you’re able to bring on your team full-time.
Searching for a Unicorn
Cybersecurity used to be about securing your perimeter, but the advent of the cloud has changed the landscape, and therefore, the expectations for what a security professional should be able to do. Talented security professionals today need to understand not just security generally, but the inner workings of the cloud and how DevOps teams and processes operate. They need to work cross-functionally with development and operations teams to be effective. To do this, they need to understand the following.
According to our recent report, forty-four percent of developers aren’t trained to code securely. It’s a problem that ultimately requires training to fix, but security teams can help guide engineers in the meantime. The ideal security hire, therefore, should be able to coach developers on secure coding practices, enabling them to test for security flaws as they go to release secure code quickly and at scale. Integrating security professionals into development teams is a great start.
Even better, security professionals should themselves be able to integrate their efforts into continuous deployment cycles. A security hire should know how to use configuration management tools, for example, in order to integrate new security tools directly into the development process.
The Software Development Lifecycle
We’ve discussed the importance of getting DevOps on board with security, but the inverse is equally true. Security professionals don’t just need the ability to handle alerts; they need to understand the software development lifecycle in order to help DevOps teams secure software from inception through to production. Baking security into the development process early on through threat modeling and rigorous testing is far less costly than identifying and fixing vulnerabilities after code has been shipped, and it’s a vital security best practice for any organization looking to move swiftly in the cloud.
While integrating security with development is becoming a more common practice, it’s also vital that security best practices apply to production as well. With operations teams deploying servers more quickly than ever in the cloud, your security hires need to help ensure that those servers are being configured correctly and deployed securely as code moves into production.
Which brings us to why a solid understanding of the cloud is so vital for today’s security professionals. While the cloud enables swift deployment, it also brings with it new risks. Security professionals need to understand what these risks entail (think API key theft and AWS misconfigurations) and how to mitigate them. In addition, they should be well versed in the cloud’s shared responsibility model to know precisely where to focus their efforts.
Automation and Orchestration Tools
Today’s organizations are turning to automation and orchestration tools, and an ideal security hire in 2018 will need to be well versed in these tools. A solid understanding of how to deploy and maintain automation and orchestration tools will reduce the volume of alerts your organization receives, ensuring that the alerts you do receive are meaningful and contextualized so you can take action quickly. Along with the automated response these tools enable, the result will be a significant jump in productivity.
How to Play Nice
Even if a security hire knows how to code and understands how software is built, convincing all the stakeholders of SecOps’ value (and showing them the ropes) won’t necessarily be an easy sell. Many organizations still think of security as a roadblock to DevOps’ efficiency. According to our survey, 62% of organizations report that their operations teams push back when asked to deploy secure technology, and 57% say those teams push back on security best practices. So your new hire will need to be a people person, someone who can convince the higher ups that integrated security is ultimately more effective and efficient in releasing a quality product and can then show them what it will take to accomplish this.
Bridging the Gap
With such a broad knowledge base expected of top security personnel today, an old school IT or security mindset will no longer fit the bill. Even if you do find a unicorn, you’re sure to run into some tough hiring competition. According to ISACA’s 2017 State of Cybersecurity report, 55% of organizations report that it takes three months to fill a security position, while 32% take six months, and 27% simply aren’t able to fill these positions at all. Due to the competitive hiring environment, bringing on a talented security expert is not only time consuming; it’s expensive as well.
Some organizations are turning to automation and a variety of SecOps tools to fill the gap, but none can truly replace human talent — nor can you use these tools to their full potential without the right people on board.
To help teams bridge the talent gap, we created the Threat Stack Cloud SecOps Program℠. This new co-managed service pairs your organization and its resources with our highly trained SecOps experts, who meet with you regularly to help you apply a DevOps lens to all your security processes.
Using our proprietary Maturity Framework, we assess your current security maturity and then work with you to help you create a shared, data-driven plan to unify your security and operations teams with mutual goals. Our Threat Stack Insight℠ and Threat Stack Oversight℠ services, meanwhile, take advantage of our security engineers to deploy the Threat Stack Cloud Security Platform® with your unique environment in mind. This allows you to leverage modern infrastructure and DevOps at scale without having to recruit hard-to-find security talent or struggle to interpret and integrate data from multiple point solutions.