DevOps: Where’s all the security talent?

DevOps: Where’s all the security talent?

This is a contributed piece by Colin Domoney, Consultant Solution Architect at Veracode


Digital transformation has completely changed how businesses consume applications and software. Businesses are increasingly looking to technology to drive greater efficiencies and create new revenue streams, with Gartner predicting that the enterprise software spend will increase to $351 billion this year.

As a result of this exponential growth, DevOps has emerged to dramatically transform the way companies build, test and deploy applications today.

But while it has revolutionised the production-to-market cycle, the rise in cybercrime over the last five years has made security a critical business concern. WannaCry and NotPetya are perfect examples of where ransomware attacks have crippled organisations for days, if not weeks. Collectively these attacks have cost more than $5 billion in business losses, with consumer goods company Reckitt Benckiser amongst the hardest hit.

Does DevOps need to be embedded in culture for maximum effect? Check out: DevOps is a CIO’s theory of evolution

That’s why DevSecOps is starting to grow in popularity. In practice, it’s a process of integrating security into development and testing software earlier in the lifecycle as a means to achieve faster, higher quality outcomes that are both innovative and secure. The unfortunate reality is that currently many organisations are leaving themselves vulnerable to malware injections or data breaches, because their developer and IT teams don’t have the knowledge or skills to roll out new applications or updates vulnerability-free.

According to a report commissioned by Veracode and, one in three technology professionals said the IT workforce is unprepared to securely deliver software at DevOps speeds, with 40 per cent of organisations claiming all-purpose DevOps professionals with security knowledge are the hardest positions to fill. This poses a significant challenge as more than half of organisations are using DevOps practices across their business or within teams. That gap could have a real impact on the productivity of businesses in every industry, as well as on the security and quality of the software that underpins the digital economy.


Failings in formal education

One of the key issues in the security skills gap is curriculum shortcomings in higher education. New developers or IT operations graduates are not entering the workforce with the security knowledge or IT skills necessary to add value to today’s world of work. 

An overwhelming majority of respondents in the 2017 DevSecOps Global Skills Survey said they were not required to complete any courses focused on security when getting their degree. This is shocking considering that security is now one of the biggest threats to the livelihood of any organisation.

The onus lies on both the educational institutes and the industry. The current curriculum is lacking in real-world training such as input and output validation – where most security vulnerabilities lie – and an emphasis on practical security hours versus the minimum three lecture hours on average is needed now. 

The DevSecOps study, that polled 400 IT professionals globally, revealed that the valuable tools respondents had learned were obtained on the job, with just three per cent reporting that they had accrued their most relevant skills through education. This disparity highlights the need for more industry involvement in the development of university and college curriculum on the skills needed from graduates today, especially for high-growth shortage areas like DevSecOps.

And while it’s encouraging that 25 per cent of schools have already started to implement security specific courses to the computer science programme, at the end of the day it’s a long-term fix to a short-term problem.


The business impact

As formal education isn’t keeping up with the need for security, organisations need to fill the gap with increased support for education.

In an effort to stay ahead of the curve, companies are ploughing ahead with DevOps initiatives, but not all have incorporated training and education best practices into their transformation strategies. As a result, firms find themselves with a knowledge deficit that puts the success of DevOps efforts at risk, as well as increasing the likelihood of persistent vulnerabilities left in software infrastructure that could be exploited and cause costly breaches or theft of intellectual property.

Effective in-house security training is, therefore, critical. However, seven in ten developers surveyed confirmed that their organisations provide them with inadequate application security training. And many security professionals felt the same way.

Investing in training in a way that developers and IT professionals want, will go a long way to boost motivation, productivity and equip teams with the right skills to implement true DevSecOps strategies. For example, 37 per cent of respondents said that classroom or self-guided e-learning training programmes are the most effective way to gain new skills needed for the job. Yet only half of respondents said they could get their companies to foot the entire bill for training.


Finding a better way

There’s no one-size-fits-all solution to the DevSecOps skills gap. There has to be a mind-set shift in how organisations deal with their talent deficit. And it has to come from the top.

CIO’s need to educate the senior team on the imperative to train-up, and not just for developers, but IT security staff as well. Both roles need a solid understanding of security principles and DevOps for a DevSecOps method to be truly effective.

As a start, there are three ways CIO’s can start improving the security debt crisis:

  • Invest time and money for continuous education: Continuous education is a must for continuous and secure delivery of software. If organisations struggle to justify sending developers away for extended training classes, bring in application security experts to train staff on the job.
  • Embed security in every training opportunity: Security principles are difficult to get to stick within the engineering department because they’re rarely add-on skills that can be learned in a couple of days. Introduce them to every training opportunity and they’ll be less costly plus have a greater impact on the business.
  • Ensure applicability: Whether training is for developers, ops or security personnel, it should be targeted and applicable to the specific role.

No matter what stage an organisation is at in its journey, it’s clear that traditional security methods are no longer fit for purpose. Now more than ever, organisations need to take action to upskill their developers, train their security teams and play an active role in educating future developers to ensure the safety of the application economy now and in the future. 


«Why is “privacy engineering” suddenly important?


Five questions to ask your file sync and share vendor»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?