Ease the need for IT security pros by writing more secure code

There are about 2.2 million people working as information security professionals today, says Hord Tipton, executive officer for security education and credentialing organization (ISC)2 and former CIO of the U.S. Department of the Interior. That number is expected to grow to 4.25 million by 2015--assuming there are enough skilled security professionals to meet demand.

Already, access to enough IT staff with security expertise is particularly tricky for organizations of all sizes. In a study released earlier this year, IT industry association CompTIA found 41 percent of organizations reported moderate or significant deficiencies in security expertise among IT staff. On average, CompTIA says, organizations were about 30 percent short of their headcount devoted to security.

And according to the U.S. Bureau of Labor Statistics (BLS), which added the category of Information Security Analyst in 2011, unemployment for people employed in the category stands at 0 percent.

"The demand for security people in organizations will be even higher," Tipton says. To meet the demand requires a multipronged approach in which not just (ISC)2 and security professionals but businesses and their executives have an important role, Tipton explains.

Write More Secure Code

One important preventative thing businesses can do to ease the pressure is to make sure developers write more secure code in the first place. Why are companies still producing software with vulnerabilities?" Tipton asks. "Why do we have to keep patching it?"

The answer, Tipton says, is that executives need to prioritize writing secure code upfront and make sure that developers are trained to do it. Additionally, organizations need to revise their lifecycle approach to give security professionals a seat at the table when project requirements get determined, not after.

"The business looks for functionality, user friendliness," Tipton says. "Security is an afterthought. People that are in the security portion of a company have a difficult time getting their recommendations in after the requirements are already set."

SQL Injection Still Highest Root Cause of Data Breaches

A study by research firm the Ponemon Institute of more than 800 IT security and development professionals earlier this year found that most organizations don't prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0 and social media applications. These types of attacks have been around for years, and, in most cases, are relatively easy to defend against.

"Security, per se, is not a complex science," Tipton says. "Most of it is just the basic controls, the sound principles of security, which we have proven in 23 years of credentialing. They actually work and haven't changed very much. Eighty to 90 percent of breaches are caused by simple attacks, and 96 percent of those breaches could be prevented with basic security controls."

Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security, according to the Ponemon Institute's study.

"We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn't worked, how industries are organizing themselves and what gaps exist," says Dr. Larry Ponemon, CEO of the Ponemon Institute. "We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it."

"We basically found that developers were much more likely to think there was a lack of collaboration," Dr. Ponemon says. "The security folks, on the whole, thought the collaboration was OK. I think that one of the biggest problems is that the security folks think they're getting the word out on collaborating or helping, but they're not doing so effectively."

In other words, Dr. Ponemon says, the security organization writes its security policy and gives it to developers, but the developers, by and large, don't understand how to implement that policy. The security organizations think they've done their job, but they haven't managed to make their policy contextual for developers.

Application Security Training Required

"We find that process has no bearing whatsoever on the ability of an organization to write secure code," Dr. Ponemon says. "It doesn't take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write."

But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of developers say their organization has a fully deployed application security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.

Ed Adams, CEO of security firm Security Innovation, says he believes providing that education will go a long way toward helping organizations secure their applications and minimize the risk. This is more of an education problem than anything else," Adams says. "In the late 90s, everybody was putting their applications on the web. But they kept on crashing. It was really a performance problem: The developers didn't know how to code for performance. Amazingly, that's what's happening in the world today. Organizations are buying application security tools before they get application security training. You have to get trained on the technique first."

Writing secure code the first time is also a good way to save a bundle of money, Tipton says. Write better applications," he says. "A company pays 30 times as much to bolt security on after the fact. IBM claims it's 100 times."

Opening the Door to Security Careers Is Childs Play

Meanwhile, in addition to its series of security certifications, (ISC)2 is doing its part to bring a new generation of security professionals into the field. "Kids coming into the workforce today know 10 times as much about computers as previous generations," Tipton says. "They are prime candidates for sophisticated work in security. We have to create a pipeline that starts in schools-from colleges to continuing education."

In fact, (ISC)2 is going well below the college level and is venturing into the grade school environment. Its Safe and Secure Online Program for children ages seven to 14 is primarily designed to help children experience the Internet in a safe and secure manner, but one important side effect is that it exposes them to the possibility of security as a career.

"It opens the door," he says. "We explain to the kids that this is a very, very viable career path. Salaries are high. Unemployment is zero. And it's challenging. So many of them like puzzles and games that it really resonates."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about careers in CIO's Careers Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

More about CompTIAFacebookIBM AustraliaIBM AustraliaIT SecurityMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place