Schools aren’t teaching enough security skills, DevOps pays the price
The 2017 DevSecOps Global Skills Survey has found that formal software education is leaving DevOps engineers unprepared for the demands of the job. Why are schools leaving DevOps and security concerns off the curriculum?
Turns out that fancy comp sci degree might not be as useful as you think it is in the real world. The latest research from the 2017 DevSecOps Global Skills Survey highlighted the fact that developers today lack the formal education and skills they need to produce secure software at DevOps speed.
In a world where data breaches can have horrifying results, security needs to be a primary goal and not just an afterthought to DevOps. Over 143 million people have been affected in the Equifax data breach. That has to be some kind of record. To put that in perspective, 143 million people is roughly 45% of the entire population of the United States.
The most striking piece of information from the survey? 76% of developers indicated security and secure development education needed for today’s world of coding is missing from formal curricula.
Veracode’s John Zorabedian pointed out an obvious reason for the lack of cybersecurity professionals. “Just 24 percent of survey respondents were required to complete cybersecurity courses as part of their education,” he wrote. “The shortage of cybersecurity professionals is on pace to reach 1.5 million empty positions globally by 2020.”
Clearly, demand is going to outstrip supply.
So, why are formal institutions ignoring this incredibly important aspect of programming? Perhaps it’s too difficult to keep up with the fast-paced cybersecurity field? Or perhaps universities (wrongly!) think companies will take care of this aspect. In any case, neither universities nor organizations are giving developers the tools they need.
Even though 80% of respondents said that they had a degree and half had a computer science degree, it’s clear that developers were not taught the skills they need during school. 70% said the security information they learned was inadequate and 65% stated that they are learning these important skills “on the job”.
Only 4% said they were taught the security skills they need for their jobs.
Obviously, this lack of education is going to have a big impact on DevOps. The DecSecOps Survey responded that 55% of their IT workforce is only somewhat prepared to securely deliver DevOps software. 30% are completely unprepared! Hiring managers say that the hardest positions to fill are ones with sufficient knowledge about security testing.
That’s not a great sign for the future. Especially since nearly half of all organizations are moving to a DevOps operation or embracing DevOps practices.
So, what’s a company to do in this time of data breaches and “unauthorized access” incidents? There is a bright light at the end of the tunnel.
Developers said they believed the most effective type of training was self-directed. For companies worried about their own vulnerabilities, it might be useful for some continuing education and training. Maybe have their IT departments do some online cybersecurity classes. Frankly, it can only help at this point.