Page 26 - Cyber Defense eMagazine - November 2017
P. 26

LACK OF INFOSEC & DEVSECOPS


               ROOTS AT THE COLLEGE LEVEL


               by DRP; Cybersecurity Lab Engineer

               The InfoSec field and industry continue to grow at an outstanding pace. This is being driven by
               many  market forces,  including  the  increase  in  attacks, malware  being released  into  the  wild,
               phishing, and spear phishing being promulgated by the attackers. From the technical side, there
               are also massive advances in the hardware and software, and their connectivity. The number of
               connected devices and their complexity are in an increasing varied devices such as vehicles,
               refrigerators,  coffee  makers,  thermostats,  garage  doors,  home  locks,  and  too  many  other
               devices  to  name.  This  is  a  function  of  our  society  being  directed  towards  ease  and  having
               devices be automated in their functionality.

               With the significant increase in these technologies, the need or demand for personnel with these
               skills  has  increased  substantially.  There  is  a  direct,  positive  correlation  with  the  number  of
               devices  and technologies  and the  personnel  required to  secure these.  As  an  example,  if the
               number  of  connected  devices,  all  from  different  regions  on  the  planet  from  different
               manufacturers,  there  will  need  to  be  more  personnel  to  work  on  securing  these.  A  person’s
               number of hours to work is somewhat limited due to sleep requirements. Seemingly, with the
               number  of  IT  personnel  across  the  planet,  there  should  be  the  requisite  number  of  InfoSec
               personnel to manage most of the issues surrounding this sub-industry. This is especially the
               case with DevSecOps.

               With the focus and attention given InfoSec due to the business compromises and direct effects
               on the consumers, likewise it would appear there should be enough programs at the University
               and College level to fill these positions. On a secondary front, there should be other training
               programs in place designed to fill in the gaps.

               Appearances  can  be  deceiving.  The  lack  of  a  sufficient  level  of  adequately  trained  and
               experienced personnel to accomplish these tasks is well-publicized. This has increased the rate
               of InfoSec persons also leaving the field due to the number of hours required to simply maintain
               the baseline level of InfoSec for the business environment, stress, and other factors. This lack of
               adequate  training  issue  was  researched  by  Veracode  (Kawamoto,  2017)  with  their  2017
               DevSecOps  survey.  The  research sample  included  400  respondents. The  research  indicated
               70%  of  the  sample  noted  the  college  training  they  received  did  not  properly  train  them  for
               implementing  security  with  application  development.  Also  65%  of  respondents  received  their
               most relevant training on the job.

               The results are rather disheartening. If this continues, the issue is only going to become worse,
               as the number of personnel do not enter the field in sufficient numbers. The spiral downwards
               will only continue. As this continues, the processes, software, and hardware will continue initially
               to not be as secure as these should be. Granted there would be requests to have this reviewed

                   26    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   21   22   23   24   25   26   27   28   29   30   31