Lack of Infosec & Devsecops

Roots at  the college level

By DRP; Cybersecurity Lab Engineer

The InfoSec field and industry continue to grow at an outstanding pace. This is being driven by many market forces, including the increase in attacks, malware being released into the wild, phishing, and spear phishing being promulgated by the attackers. From the technical side, there are also massive advances in the hardware and software, and their connectivity. The number of connected devices and their complexity are in increasingly varied devices such as vehicles, refrigerators, coffee makers, thermostats, garage doors, home locks, and too many other devices to name. This is a function of our society being directed towards ease and having devices be automated in their functionality.

With the significant increase in these technologies, the need or demand for personnel with these skills has increased substantially. There is a direct, positive correlation with the number of devices and technologies and the personnel required to secure these. As an example, if the number of connected devices, all from different regions on the planet from different manufacturers, there will need to be more personnel to work on securing these. A person’s number of hours to work is somewhat limited due to sleep requirements. Seemingly, with the number of IT personnel across the planet, there should be the requisite number of InfoSec personnel to manage most of the issues surrounding this sub-industry. This is especially the case with DevSecOps.

With the focus and attention given InfoSec due to the business compromises and direct effects on the consumers, likewise, it would appear there should be enough programs at the University and College level to fill these positions. On a secondary front, there should be other training programs in place designed to fill in the gaps.

Appearances can be deceiving. The lack of a sufficient level of adequately trained and experienced personnel to accomplish these tasks is well-publicized. This has increased the rate of InfoSec persons also leaving the field due to the number of hours required to simply maintain the baseline level of InfoSec for the business environment, stress, and other factors. This lack of adequate training issue was researched by Veracode (Kawamoto, 2017) with their 2017 DevSecOps survey. The research sample included 400 respondents. The research indicated 70% of the sample noted the college training they received did not properly train them for implementing security with application development. Also, 65% of respondents received their most relevant training on the job.

The results are rather disheartening. If this continues, the issue is only going to become worse, as the number of personnel do not enter the field in sufficient numbers. The spiral downwards will only continue. As this continues, the processes, software, and hardware will continue initially to not be as secure as these should be. Granted there would be requested to have this reviewed and improved, however, with the baseline number of personnel to work on this, the change requests will only pile up, and would be reviewed when they were according to the queue of all the remainder of these. As this would occur, the attackers certainly would not slow in their efforts. Without a concerted effort, there will continue to be issued and these are going to increase in their negative effect on the users and business.

Reference
Kawamoto, D. (2017, August 17). Veracode survey shows a majority of DevOps pros mostly learn on the job about security. Retrieved from https://www.darkreading.com/application-security/70-of-devops-pros-say-they-didnt-get-proper-security-training-in-college/d/d-id/1329654

About the Author
DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.