Stop trying to find all the bugs. Start looking for Ted Lassos to close the DevSecOp divide.
You hear it over and over: There’s a yawning cybersecurity workforce gap. The U.S. Bureau of Labor stats pegged it at more than 2.72 million unfilled positions as of 2021.
But what if I told you that you don’t need to hire all those impossible-to-find security specialists in order to build — or to fortify — your organization’s modern application security (AppSec) journey?
In fact, there’s a different approach that can fundamentally change the math so that it’s no longer insurmountable. It isn’t about going crazy trying to hunt down rare skill sets — the security specialists who spend the vast majority of their time working in security, privacy and compliance. Mind you, those highly sought-after specialists are important to help engineering with security requirements and architecture. But specialists spend most of their time identifying problems and spotting vulnerabilities — or, in other words, telling engineering that their baby is ugly. Hearing that their products are flawed, days or months after the code was written and fresh in their minds, isn’t the best way to get good results from software engineers.
Hire Ted Lassos
There’s a different way that works better with developers and that can ease the cybersecurity skills shortage.
It has to do with Ted Lasso.
If you haven’t seen the TV show, it’s about a coach from the United States who knows nothing about European football, but he’s hired as the head coach of a London soccer team.
What he does know about is people. He knows how to get the best out of them. He knows how to make them work well together as a team. He knows how to build a staff that will be excellent, that will provide results, and that will have that domain expertise.
Translated to technology, the Ted Lasso approach is about a shift from focusing on hiring security specialists to instead recruiting leaders and coaches to help bridge the DevSecOps divide that keeps development and security from seeing eye to eye. These leaders and coaches can be found when you emphasize hiring into roles such as Scrum Master, Digital Transformation, Agile Coaches or other project-management professionals.
Fixing issues fast = more important than more specialists
This approach makes sense because the AppSec bottleneck isn’t about a lack of more specialists. There’s already a huge pile of things that we want developers to address: all those warts that specialists have discovered in engineering’s babies and thrown back over the wall for engineers to fix. The bottleneck isn’t finding every single vulnerability, including the low-risk ones. Rather, the bottleneck is in getting engineering to rapidly fix the issues we already know about. We need the right people and processes to fix anything that’s found within a day, when the code is still fresh in developers’ minds and when it’s less expensive to fix than in X weeks or months.
It’s a question of how you allocate resources. For example, I recently spoke with an AppSec leader at a large enterprise with 100 or so development teams. He said that he only had four people dedicated to what he described as “preventative application security work,” but there were literally dozens of staff doing things like incident management and network security and pentesting. Incidents are urgent, but you’d need a lot fewer folks doing that work if you prevented incidents from happening in the first place.
It might be hard in the short term to move some of those resources off from finding and responding to security incidents, but an ounce of prevention is worth a pound of cure.
Ted Lasso: Easier to hire, better for engineers
A number of things happen if you shift the investment away from hiring specialists who’ll find yet more security issues and instead focus on hiring people who’ll make it easier for engineers to rapidly resolve the things, we’re already able to identify … and who’ll make it more likely that they will resolve those issues rapidly.
First off, you’ll find that recruiting for AppDev gets easier, given that there are more coaches in the job market than there are security specialists. Also, you’ll get a much better response from engineering.
That’s because there are a number of problems with the throw-it-over-the-wall approach, as outlined in Gene Kim’s Three Ways of DevOps, which describes flow, feedback and learning. Flow describes how an entire system performs, be it on the macro level (i.e., development or IT operations) or as granular as an individual contributor, such as a developer. In the Three Ways, flow entails never allowing defects to flow downstream. But when you consider the individual developer, there are also psychological factors involved in the Zen concept of flow, when a project consumes you: a state that leads to happiness at work.
Throw-it-over-the-wall gums up developers’ flow. The opportunity for learning is gone by then, and developers see this later interruption as just messing with their flow. This leads to frustration and slows the pace of learning from previous mistakes, which in turn slows down application development. This widens the gap between security and development, as frustrated devs may first try to avoid the security group. If that fails, they may consider quitting over it.
Tweak hiring to close the DevSecOps divide
In an ideal setting, for developers and security teams to best work together across the DevSecOps lifecycle, these are how the roles and responsibilities would look:
Replace current gatekeepers, not with security specialists but with:
Those who know how to coach teams to improve (a la Ted Lasso), such as Scrum Master, Digital Transformation or Agile Coaching roles.
Pipeline engineers: real developers who love writing code and who can build necessary tools, including code to hit the application programming interfaces (APIs) of tools so as to extract data to build a measurement system.
Set up a measurement system, but don’t immediately start using it to drive behavior. First, correlate the adoption of particular AppSec practices/controls/processes/tools with actual cyber-risk outcomes. Only after your measurement system is capable of doing that can you use it to drive behavior. If you do it before, you may just drive “vanity metrics” that make it look like you are “doing something,” but that something might not actually be very effective.
Recruiting and retaining top talent is the key to any company’s success. Candidates want to have work that’s interesting, fun, and challenging, in addition to working with peers they respect. While there’s a good deal more to be said about setting up a security operations transformation program, broadening your focus from just hiring security specialists will at least help on the front end, when it comes to solving what feels like an overwhelming staffing problem.