Most people are painfully aware that security breaches have increased in recent years, while at the same time becoming much more sophisticated in their approach. Additionally, ever-expanding application environments and continuously evolving workloads have created more opportunities than ever for attackers. What’s not so apparent to those outside of the tech bubble: The world is dangerously ill-equipped to handle the magnitude of these threats.
Organizations may want to meet this challenge with armies of skilled technologists primed to maintain secure operations. But the reality is there is a major shortage of capable DevOps experts, especially ones with cybersecurity skills. This creates major problems for all organizations operating in modern cloud and container environments.
According to the cybersecurity advocacy group (ISC)2, this skills gap has noticeable, meaningful consequences for DevOps and security teams. Responses collected from more than 4,500 cybersecurity professionals around the world indicate just how severe the problem is. More than 30% of respondents said they regularly experience misconfigured applications, 29% feel that their teams are too slow to patch critical systems and 27% are unable to maintain necessary awareness of all threats active against their IT infrastructures.
It is clear that cybersecurity teams are not staffed to meet current—and anticipated future—demands, processes are not managed, assessment is not addressed and monitoring is incomplete. Yet, this is not just a matter of hiring more people to perform these tasks. The necessary people needed to keep DevOps environments safe simply do not exist as the role has changed faster than the workforce.
Time is a critical factor in security, and there can be no waiting around for a solution to appear. DevOps leaders and CISOs must do something, and fast. Fortunately, they can mitigate the burden of this skills shortage and continue moving forward with their transition to the cloud, containers and Kubernetes by taking these steps:
1. Employ Automation
Security and DevOps teams have to validate that security controls are actually working as intended, but also that they aren’t slowing down development efforts. Many enterprises perform manual checks to determine this, but that’s simply not scalable. Automation is the only way to do this effectively. Companies need tools that can analyze cloud activity without manual processes to understand if things are operating as expected, even in the largest deployments.
The equalizing factor that combines speed, agility and security is found in automation. With an automated approach, cloud activity can be analyzed and interpreted and DevOps and security teams can be alerted about abnormal behavior within their cloud and container environments. This helps to address vulnerabilities and issues before they are exploited, reduce friction in the development process and ensure safe deployment.
For starters, DevOps teams should leverage security tools to automatically build and customize policies. The right tools, some of which can be found in open source frameworks like Falco, are built to adapt to container life cycles and integrations. DevOps teams can rely on these tools to enforce policies and to alert on issues that result from anomalous behaviors that could indicate a threat.
Inherent in the automation approach is the shared responsibility concept; security of cloud and container activity is put squarely into the domain of the cloud customer. They are free to operate as needed, but no organization can ignore the modern demands of speed or the necessary requirements of security. This requires that DevOps teams recognize and adapt to the needs of security oversight while security teams must act on their remit while not slowing down the development and delivery processes.
2. Train People for the Task at Hand
If the right people don’t exist, it’s up to security and DevOps teams to create them. Organizational training is the key to adding people with the right skills, and every organization should be looking to develop the right candidates into qualified DevOps and security experts.
Many of these people already can be found working as application developers or within a security function. You may find individuals who are early in their careers, looking to enhance their skill set and eager to participate in on-the-job training. Every organization should encourage mentoring by more experienced staff, but also should have formalized training programs in place to bring people up to speed on the unique needs of DevOps security.
Some colleges now offer specialized cybersecurity degrees or certifications. Coding schools, like the Eleven Fifty Academy in Indianapolis, for example, train students on the most current cybersecurity practices and can be a great source of talent. The United States military also offers some of the most sophisticated technology training and is also fertile ground for recruiting highly skilled security and DevOps players.
3. Think Globally
There is no single, prescribed way to attack or hack cloud and container environments. Approaches are diverse, and that’s why the talent responsible for security also should champion diversity. One way to do this is to look beyond your own borders for talent. As the world has embraced remote work over the past two years of the COVID-19 pandemic, more organizations than ever are equipped to bring on workers from across the globe to help them solve security and DevOps issues.
Think more broadly about where you can find talent and hire people who can prove their capability through tests and work samples. Not only does this deepen the pool of potential workers, but it also helps you bring new people into the fold who have different perspectives and approaches that could enhance the work you’re already doing.
Nearly half of the employees at the company I work for sit outside of the United States. This has drastically increased the talent pool for us. With a bit of diligence, the major barrier to hiring globally—the time difference—isn’t an issue, and you might even find it makes you more efficient.
4. Rely on Proven Solutions
Finally, use commercially available products to support your DevOps security needs. Building it yourself is always an option, but when it comes to security, that approach may take more time than you have; a luxury you cannot afford.
SaaS products are most reliable and effective in this regard, as they will scale and adapt as your team’s needs change. These tools are purpose-built for the shared responsibility model so they reduce distractions and allow you and your team to focus just on the necessary security and speed-related tasks that are important to helping you achieve your goals. Review sites, the ability to trial them and the perspectives of developer communities will also be extraordinarily helpful in guiding you to making the best decision for your organization.
Managing security and DevOps is never easy. With aggressive timetables and delivery deadlines, it’s easy to let the discipline required for security slip. And what makes it even harder is that we cannot hire enough people to take care of these needs. Yet, with a combination of innovative training, new perspectives on hiring and effective use of technology, any enterprise can overcome these limitations.
Originally published on DevOps