Where is your security money going? Typically, it lives at the edges of the network, in operations land. The big spends on items and services such as log aggregators and organizers, firewalls, and penetration testing are generally trusted buys. These are tried-and-true tactics that have withstood the tests of time.
But time, as it were, has claimed many a security system. From the low-tech “recorded over every night” VHS-tape security systems, to the high-tech and highly expensive intrusion prevention systems, security is an ever-changing landscape of concerns both physical and virtual. Thus, the camera remains, while the VHS tape behind it has been replaced with a giant hard drive, capable of storing everything, and even uploading those videos to other giant hard drives out on the Internet.
And as our dependence on technology grows, so will the need for security. Currently, the need for security analysts is growing at a faster pace than the need for software developers, at least, in the US. That’s according to the Bureau of Labor Statistics, which expects an 18 percent rise in Information Security Analyst positions by 2024.
Great news, right? On the surface, yes. Companies are recognizing the need for security and hiring staff accordingly. But if you dig deeper, it becomes clear that the increased demand for security professionals in itself isn’t the “big win” it appears to be.
To start, the same study found that the need for software developers is growing at almost the same rate – 17 percent by 2024. There are already so many more software developers than security professionals that the 1 percent difference will not result in a balanced ratio of developers to security. In fact, the Bureau of Labor and Statistics predicts that, between 2014 and 2024, there will be 186,600 new software development jobs.
In addition, we are already unable to fill all the open security jobs because we lack enough security experts. Adding more jobs does not mean we will also add more security professionals. So, we will keep innovating and creating new technologies, powered by software that will continue to be insecure.
Instead of simply adding security jobs, we need to teach secure development to the growing number of developers, add security to computer science curriculums, and incorporate secure development eLearning activities at businesses. Because, what happens when those 186,600 new software developers, writing their first lines of code at their brand-new desks, don’t know how to securely write software? What happens when one of them writes code that works, but that causes an unseen bug that could compromise the integrity of that entire application?
What if that entire application is just a microservice, and it’s hosted inside the network, with all those other internally insecure, but externally secure, services? What happens when that application is running a core service for your line of business operation?
While spending big money on network security is a major key to succeeding in information security, it’s only a piece of the larger solution. We also need to promote IT security as a profession, and show IT security is more than setting up networks and configuring firewalls. And, ultimately, until we as a society invest in secure development and training security professionals, we will always be one step behind cybercriminals.