As I head to San Francisco this week to attend RSA, I am gearing up for a lot of discussions with CISOs. It may surprise you, but the conversation with many CISOs these days is not a happy one.

They know security risks are increasing, but many can’t see the opportunity for security improvements, instead believing their organisations are more likely to fall victim to a data breach or cybersecurity attack than ever before.

One of the most common themes in my regular CISO conversations involves their concerns about the problematic shortage of cybersecurity skills.

“Our security team isn’t large enough for the size of our engineering team or company.”

“Our security team keep being poached by companies overseas who offer extraordinary salary packages and the opportunity to work and explore other continents.”

“Our security experts are too busy fighting fires to keep up their skill development”.

This theme is backed by several research reports, including a 2017 Ponemon Institute Survey where “lack of competent in-house staff” topped all other forms of CISO cybersecurity concerns for 2018.

This critical security skills gap is not likely to go away any time soon, especially in markets like Australia where the brightest talent often moves offshore and immigration laws make it increasingly challenging to bring foreign security experts into the country.

One of the interesting things about the Australian skills shortage is that the lack of ability to recruit skilled experts has led to some positive focus on national security skill-building. As Benjamin Franklin was supposed to have said, “Out of adversity comes opportunity.” Australian governments, educational institutions, corporates and start-ups are working on programs to build a range of security skills locally.

One area where the security skills adversity has definitely led to opportunity is in the development of secure coding skills within inhouse and outsourced development teams. Given most of the world’s major security breaches can be attributed to coding errors and the average breach costs $US3.6 million, software security is definitely a significant part of the security challenge. One of the biggest (and increasing) spends within application security budgets is on reactive application security identification and remediation, often with the same old bugs occurring year after year.

Empowering developers to write secure code from the start is an opportunity for CISOs to seize some proactive control from the security predicament, and where there is the chance for fast, easy and measurable improvements – for both security and development teams.  

It doesn’t mean replacing security experts with developers, but it does mean engaging developers on security issues, making security part of their daily mindset and teaching them to code securely in a way that is fun, effective and efficient. The outcome will be that scarce security expertise can be better spent on finding and fixing the really challenging, complex bugs, rather than dealing with the same old vulnerabilities.

To some CISOs, this might all sound too good to be true, or too hard to implement, but the truth is it is neither of those things. At Secure Code Warrior, we have seen more and more CISOs embracing this opportunity, and transforming the working lives of both security and development teams in the process.

One group of CISOs who have led the charge globally to develop a strong security mindset and skills among their software developers is the Australian banks. The Aussie banks were the early adopters of this approach back in 2016 and 2017. The country’s top six banks now actively encourage and engage their dev teams to build secure coding skills through our online, self-paced, gamified learning environment. The banks are also regularly reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams.

Tangible and positive outcomes are flowing from the approach, including a reduction in the occurrence of common vulnerabilities, increased developer security awareness and an improved relationship between security and development teams. Companies who invest in teaching their developers to code securely will reduce the pressure on their existing security talent as well as reducing their exposure through software insecurities.

If you are a CISO (or know one) who feels depressed about the security situation within your organisation, I encourage you to think about a straightforward way to score some positive and tangible security improvement points. Empower your developers to learn to code securely in a way that is relevant, positive and fun. Your security and development teams will thank you for it and you will also strip out costs and delays with product innovation and development. My bet is it will pave the way for many positive security conversations 😊.