Stop trying to find all the bugs. Start looking for Ted Lassos to close the DevSecOp gap.
You hear it over and over again: there is a gaping workforce shortage in cybersecurity. Statistics from the United States Bureau of Labor put it at more than 2.72 million vacancies in 2021.
But what if I told you that you don’t need to hire all those hard-to-find security specialists to build — or strengthen — your organization’s modern application security (AppSec) journey?
In fact, there is a different approach that can fundamentally change the calculations so that they are no longer insurmountable. It’s not about going crazy trying to hunt down rare skills – security specialists who spend the vast majority of their time working in security, privacy and compliance. Remember, these highly sought-after specialists are important in helping engineering with security requirements and architecture. But specialists spend most of their time identifying problems and spotting vulnerabilities – or, in other words, telling engineering their baby is ugly. Learning that their products are faulty, days or months after the code has been written and fresh in their minds, is not the best way to get good results from software engineers.
Hire Ted Lassos
There is another method that works better with developers and can alleviate the cybersecurity skills shortage.
It’s related to Ted Lasso.
If you haven’t seen the TV show, it’s about a coach from the United States who doesn’t know anything about European football, but he was hired as the head coach of a London football team.
What he knows are people. He knows how to make the most of it. He knows how to make them work well as a team. He knows how to build a staff that will be excellent, that will deliver results and that will have that expertise in the field.
Translated into technology, Ted Lasso’s approach is to move from focusing on hiring security specialists to hiring leaders and coaches to help bridge the DevSecOps gap that is preventing the development and security of ‘to agree. These leaders and coaches can be found when you focus on hiring in roles such as Scrum Master, Digital Transformation, Agile Coaches, or other project management professionals.
Solve problems quickly = more important than more specialists
This approach makes sense because the AppSec bottleneck is not related to a lack of additional specialists. There’s already a huge pile of stuff we want the devs to address: all those warts that the specialists found on engineering babies and threw over the wall for the engineers to fix. The bottleneck is not finding all vulnerabilities, including low-risk ones. Rather, the bottleneck is getting engineering to quickly fix the problems we already know. We need the right people and the right processes to fix anything found in a day, when the code is still fresh in the minds of developers and cheaper to fix than in X weeks or months.
It is a matter of resource allocation. For example, I recently spoke with an AppSec manager at a large company with a hundred development teams. He said he only had four people dedicated to what he described as “preventive application security work”, but there were literally dozens of employees doing things like incident management. , network security and pentesting. Incidents are urgent, but you would need far fewer people to do this job if you prevented incidents from happening in the first place.
It might be difficult in the short term to divert some of these resources from research and security incident response, but an ounce of prevention is better than cure.
Ted Lasso: Easier to hire, better for engineers
A number of things happen if you divert the investment from hiring specialists who will find even more security issues and instead focus on hiring people who will allow engineers to fix issues quickly, we we are already able to identify…and who will make it more likely that they will resolve these issues quickly.
First, you will find that recruiting for AppDev becomes easier, given that there are more coaches in the job market than security specialists. Also, you’ll get a much better response from engineering.
That’s because there are a number of problems with the throw-over-the-wall approach, as outlined in Gene Kim’s Three Ways of DevOps, which outlines flow, feedback, and learning. The flow describes the performance of an entire system, whether at the macro level (i.e. development or IT operations) or as granular as an individual contributor, such as a developer. In the Three Ways, flow involves never allowing defects to flow downstream. But if you consider the individual developer, there are also psychological factors involved in the Zen concept of flow, when a project consumes you: a state that leads to happiness at work.
Throwing it over the wall clutters the developer flow. The opportunity to learn is then gone, and the developers see this subsequent interruption as merely a disruption to their flow. This leads to frustration and slows the pace of learning from previous mistakes, which in turn slows application development. This widens the gap between security and development, as frustrated developers may first try to avoid the security group. If that fails, they can consider quitting.
Adjust Hiring to Close the DevSecOps Gap
In an ideal setting, for developers and security teams to work together best throughout the DevSecOps lifecycle, here’s what the roles and responsibilities would look like:
- Replace current gatekeepers, not with security specialists but with:
- Those who know how to coach teams to improve (à la Ted Lasso), such as the roles of Scrum Master, Digital Transformation or Agile Coaching.
- Pipeline engineers: real developers who like to write code and can build the necessary tools, including the code to hit the application programming interfaces (APIs) of the tools to extract data to build a measurement system .
- Put a measurement system in place, but don’t immediately start using it to drive behavior. First, correlate adoption of particular AppSec practices/controls/processes/tools with actual cyber risk outcomes. Only when your measurement system is able to do this can you use it to drive behavior. If you do this before, you may just be driving “vanity metrics” that make it look like you’re “doing something”, but something might not be very effective.
Recruiting and retaining top talent is key to the success of any business. Candidates want to have interesting, fun and challenging work, in addition to working with peers they respect. While there is a lot more to be said for setting up a security operations transformation program, expanding your reach instead of just hiring security specialists will help you at least up front, when t’s about solving what appears to be an overwhelming staffing problem.