Veracode put out the results of a survey that they did on DevSecOps Global Skills and the results are staggering with regards to where the level of developer’s cybersecurity skills are and how they learn cybersecurity. If you want to take a look at the survey, go to Veracode’s DevSecOps Global Skills Survey. The highlights of the survey, or maybe you should say lowlights, are as follows:
- 7 in 10 developers say they don’t get adequate training in security at their organizations.
- 76% say they weren’t required to take any security courses in College.
- 64% learn their most relevant skills on the job.
- only 4% learn their skills from 3rd party training.
There’s a lot more information in the survey but I thought I’d provide you with just some of the results. I do this for the simple reason that, with the very large dearth of security professionals (the numbers range but I read anywhere from 1 Million job openings right now to 2 Million job openings by 2020) means that probably the best and only place we can get people to fill these roles is from other job areas.
Application Security is especially important because it’s the development of applications, whether Web Apps, Mobile Apps, or Client/Server apps, is where vulnerabilities are introduced. Exploits only occasionally come about because of poorly configured infrastructure, though it does happen. So making sure applications are written correctly is extremely important.
But 76% weren’t required to take any security courses in college? Wow…
So, here’s the thing – I, myself, don’t have a post secondary degree. I’m unique simply because I was lucky enough to literally grow up in the industry. As a result, I learned the new technologies as they were coming out. Nowadays, if I was to look at the training someone coming out of college gets, I would suggest that they are probably 3-4 years behind the moment they get their diploma. The vast majority of people learn on the job because they NEED to learn on the job.
But, I didn’t take extra steps to learn security in all areas. When I started, the first thing I did was reach out to other large companies looking for their security people so that I could pick their brains. From there, I discovered that there were 3 security industry groups in Vancouver (at the time) so I joined one of them so that I could meet other security people. And so on and so on.
Shortly after I meet with some industry people, I learned about the CISSP and ISC2. I figured it was another good way to learn, so I started studying to get my CISSP. My number when I got the certification was 2412, which tells you how long ago it was. But the studying for the CISSP helped me grow my understanding.
But the CISSP is more of a “theoretical” course, though it has real world applicability. So I decided to take a couple of vendor exams and forced my employer to pay for it as part of my new job in security. So I got a CCNA (Cisco) and a CCSA (Checkpoint). You have to remember that, in 2000, security was still in it’s infancy and focused primarily on the network layer.
But it was the application of these skills that I really learned. Sure, I could take courses or talk to people but, at the end of the day, it wasn’t until I was actually doing design work that I truly understood security. To this day, I still learn new things because I challenge myself to understand how others do the job of Security Architect and then I apply it. I could go to SANS and get one of their certifications. I could take a course from one of the various private training organizations. Or I can discover a new technology and then start reading and see if I can find a project involving that new technology.
Don’t depend on others to give you the knowledge. Take the time to do the reading on the subjects. Get involved with projects that might be bigger than you so that you can push yourself. Hell, propose to your company to implement a new program of some sort and talk about ROI to the company. They just may agree with the idea and now you get to actually practice what you’ve been reading.
Just don’t expect anyone to give you anything on a silver platter and expect to learn. Learning just doesn’t happen that way.
Hope that helps …