With an ever-increasing number of businesses focusing on developing digital platforms to connect with their customers, we are seeing cybercrime grow into a concerning phenomenon. Digital transformations of varying scales and complexities are taking place at a pace where speed-to-market and innovation are at the core of most CTO’s decisions. Security teams must work in conjunction with technology teams to protect their organisations whilst managing an increasing number of potentially vulnerable attack vectors.
As a result, organisations are having to increase focus on how to secure their digital access points through application security (Appsec) measures. We are often tasked with finding senior professionals who have Appsec experience (an Engineer, Architect or a Consultant for example) and whilst the demand for this experience is increasing, the pool of talent is very shallow for this niche skillset.
Traditional security methods are often ineffective at the application layer and it's these potential weaknesses that are being increasingly targeted by hackers. With more focus on digital, there are more threats to organisations and more to consider from a Cyber Security standpoint. It’s now vital for security to be embedded into all applications as a first line of defence, be it cloud, online or mobile. Instead of building and then testing new applications, we have seen a focus on building securely from the initial phases of the SDLC so that testing is ongoing throughout rather than after an application is built.
Organisations do not often have the skills in-house to be able to set up ways for development teams and other technical teams to work like this. There can be a gap in between an I.T. team and the security team. Development teams may not be trained in how to code securely. Testing may not be consistent throughout the build process and may take time at the end to complete.
Appsec professionals have a good understanding of both development and security, so they can converse with developers in coding language and work to embed security throughout the development lifecycle. Consultants and Architects can look at how to set up best practice measures to ensure a business is continuously improving the way they output digital format securely, without losing time or increasing vulnerability. They can also advise the project teams from initial phases as to what is realistic and what timeframes are involved, often preventing mistakes and saving time on delivery.
With organisations now needing to use specialist consultancies or hire senior people internally to deliver in these often newly created positions, Appsec candidates can demand top of the range salaries and largely, have their pick of opportunities across industry sectors.
As a partner to several organisations who hire these people, we know that one key factor is a candidate’s ability to manage stakeholders and collaborate across various teams, advising and translating between technical languages to ensure all teams are reading from the same page. This communication element can be hard to find in people who are naturally technical.
As the technology market continues to evolve into ever more innovative times, Australia must seek ways of ensuring that Cyber Security professionals in the Appsec space are being attracted and nurtured. Talent at grass route level in Cyber has been outlined as a key focus by both the Government and the industry governing bodies. In conjunction, I believe organisations should also be looking at ways of developing internal talent from other parts of technology teams organically, investing in the relevant education and practical training to get good calibre professionals up to speed. There is a huge opportunity for mid-level candidates with development experience and a passion for security to transition into the Cyber Security world. These opportunities offer exciting and rewarding work, and in the long run, greater earning potential.
Developers can be trained in Secure Coding and then further learn how to consult or develop digital enterprise architecture in Security. Penetration testers who have the right communication skills can be educated around the SDLC and how to set up best practice for continuous integration and delivery. Courses by SANS, Veracode, OWASP or IRCAB (Amongst others) can massively help to bridge knowledge gaps. It is now important for Architects and Consultants to understand cloud technologies and devops tools, where certifications in AWS are becoming more common in the Cyber space.
Waiting for graduates to develop into these professionals over the coming years is a solution that will take time while the technologies and role responsibilities will consistently evolve. Organisations need these skills yesterday, and often do not have the time or resources to train and develop people – the fundamental part of the issue. Instead, hiring criteria tightens as a business would rather wait for the perfect candidate who they know they can rely upon.
Not having access to these skills could be costly for organisations. Relying solely on being able to find people in the Australian market could take many months to find the right person, in which time somebody internally could have been trained. Similarly, a candidate with the right development or testing background could be hired and with the right attitude become extremely capable. Companies need to look outside of the box to prepare for how they build Cyber capability in the niche areas that we know are especially talent short like Appsec. Finding a strong developer who can learn Appsec is likely a more natural solution than training a seasoned risk or network security professional the principals of coding and testing, but it does depend on the individual.
Decipher Bureau have built out Appsec teams and placed several professionals in this space, but the shortage of profiles remains. We often relocate professionals from overseas, building a strong network which we focus on continuing to grow. In an ever-changing market, we are always keen to speak with candidates who would be interested in career advice as to how to move into the Appsec space. For professionals with relevant backgrounds, either in Australia or overseas, we have various clients ready to meet you if you are interested in a making a career move.