As DevOps continues to become an essential part of software development and the information technology world, it is also suffering from lack of engineers experienced in cybersecurity. The need for these skills remains paramount, as highlighted by the recent CCleaner malware incident at Avast, where hackers were able to inject nefarious code into Avast’s build process. Customers – unaware of the hack – then installed the malware on their system when installing CCleaner.
Industry surveys reveal a notable lack of information security talent throughout the IT industry, but especially when it comes to those working at a DevOps shop. Let’s take a closer look at the data. Perhaps it inspires your company to close a similar skills gap in your office if it exists?
Veracode and DevOps.com recently combined to produce and publish the 2017 DevSecOps Global Skills Survey. One of the more interesting findings of the survey reveals that 70 percent of the 400 respondents currently working at a company that follows DevOps feel they didn’t receive enough training in cybersecurity. This applies both to university coursework and post-graduate professional training.
Considering 80 percent of the survey respondents hold either a bachelors or masters degree, it becomes obvious colleges need to ramp up cybersecurity content as part of their IT-related curriculum. Over two-thirds of those surveyed feel the security education they received didn’t sufficiently prepare them for the real world. Alan Shimel, editor-in-chief at DevOps.com, feels businesses also need to work diligently to close this skills gap.
“With major industry breaches further highlighting the need to integrate security into the DevOps process, organizations need to ensure that adequate security training is embedded in their DNA. As formal education isn’t keeping up with the need for security, organizations need to fill the gap with increased support for education,” said Shimel.
Unfortunately, the survey also notes an issue with DevOps professionals receiving sufficient cybersecurity training once they are employed. Less than half of the respondents said their companies paid for any additional security training. 70 percent of those surveyed felt their overall cybersecurity training was inadequate for the nature of their work.
Maybe an unforeseen benefit of the malware attack on Avast is an increased focus by companies on providing the right security training for their DevOps employees? Universities and technical colleges also need to improve their offerings. These are points echoed by Veracode’s VP of Engineering, Maria Loughlin.
“Our research with DevOps.com highlights the fact that there are no clear shortcuts to address the skills gap. Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organizations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy,” said Loughlin.
When even companies specializing in cybersecurity become victims of hacking, like Avast, everyone takes notice. Ultimately, if your company leverages DevOps and its array of Cloud-based tools to make its software development practice more efficient, cybersecurity training for your team needs to be an important consideration.
Thanks for checking out the edition of the Betica Blog. Keep coming back for additional insights from the software development world.