How to Avoid the AppSec Staffing Crisis
Routes to real progress and success exist beyond outdated and painful hiring practices. Evidence of the housing crisis is all around us. From the skyrocketing home purchase and rental prices to the unfortunate tent cities popping up in highly impacted areas. But it has been in the making for a long time, toiling in the shadows until it was too late.
Similarly, in the tech industry, a crisis that has been years in the making is finally passed a tipping point. This crisis is a lack of skilled and knowledgeable application security experts. It has developed to a point where even the largest software development organizations face staffing struggles despite their deep pockets and a vast pool of resources to draw from.
But what about startups and small businesses that don't have Swiss bank accounts and networks that could fund and populate a small country?
Now Hiring...
Seemingly, for every skilled software security expert looking for a job, there are a hundred job postings. How is a small business, start-up, or cash-strapped organization going to compete with the big dogs?
The sad truth is you can't. The elusive talented application security applicants are drawn to major enterprises like Amazon, Microsoft, Google, and Facebook, along with a few well-funded startups. After all, they can offer the resources, benefits, huge salaries, and other enticements that many can’t afford.
Yet even they cannot escape the growing number of serial job hoppers.
The Employee Factory
The approach most businesses will consider is hiring less skilled people or moving an existing employee laterally to the position, and training them to do the job.
This has a ripple effect within your organization, requiring you to backfill the spot the employee left, invest in education and training resources, and deal with skills-growth pains and the inevitable mistakes made along the path to expertise.
Promoting within and backfilling the position can be a great idea—building up your employees, investing in them, rewarding them, etc. But does it work in the software security space? The answer is: Not often, because once trained in a more lucrative field, they tend to job hop, continuously looking for the bigger, better deal.
You essentially become an employee factory. Building them up on a training assembly line and watching them move out the door. Again and again.
Job Fatigue
The ISSA (Information Systems Security Association International) and ESG (Enterprise Strategy Group) released a research report titled, “The life and times of Cyber-Security Professionals 2021,” in which they surveyed about 500 security professionals and revealed a huge gap in cybersecurity skills and more.
The “skills challenge” also increases stress amongst the team with increased workloads (62%) and high burnout (38%). Open job requisitions (38%) haunt many large and smaller organizations. And it isn’t getting any better, only worse!
This problem is widespread across the cybersecurity industry—notably in cloud computing security, security analysis, investigations, and application security.
Show Me the Money!
Startups and small businesses can’t pony up the money to keep their application security experts for long.
You can sculpt them and train them, but unless you show them the money—they’re gone! Just look at LinkedIn and you can see the revolving door of employee movement that even the largest corporations are dealing with.
Supply and Demand
Just as the homelessness situation is in part a supply and demand-caused problem, food prices, energy prices, automobiles, and other basic necessities are seeing huge increases in costs.
The same applies to the application security field. There is a massive imbalance in the small number of skilled AppSec experts and the increasing number of unfilled roles. When that happens, prices go up, and they have been for five-plus years now.
Outsourcing Abroad
The answer used to be going offshore. The problems are the same, however, and going offshore isn’t necessarily cheaper and brings in a host of additional problems.
Costs have skyrocketed, you are chasing the same lack of skills, and there is no way to really validate who you are working with, their expertise, or relevant experience. They won’t work on your schedule, plus, can you be sure they’re focused on you vs. working with a dozen other firms?
What If I Just Ignore The Problem?
Ignorance is bliss after all - that is, until you get hacked and lose your intellectual property, all the time it took to build it up, your income, your reputation, your house, the shirt off your back... the list goes on.
Application security is more important than ever, and a managed AppSec service can help you maintain your budget, focus your resources on key personnel, and deliver on your application project.
So, what is the solution?
How do we navigate these rough waters in 2023?
Focus Your Resources and Your Money
There will be a light at the end of the tunnel. More people will get skilled in application security to chase the big bucks, and the salaries will level out.
In the meantime, a good approach would be to focus on your crucial resource: your software development team. Pay what is necessary to hire and attract key talent, and invest in a managed service to handle the application security portion of your business.
Managed AppSec to the Rescue
Managed Services have been around for a decade or more now, initially to address the lack of skilled cyber-analysts and the millions of attacks facing enterprises. Today, there are managed application security offerings that can take the application security task off your hands, allowing your team to focus on software development.
True Positives, provides a simple and very affordable managed application security service with quick turnaround and actionable results, so your team can focus on addressing the most critical flaws in your software and not be overburdened by the noise generated by various expensive tools in the marketplace.
Simple, Safe & Affordable.
Enjoy FREE Standard scans powered by a proven superior commercial scan engine. Our reports trim all the fat and get straight to the good stuff with high-level findings that you can confidently give straight to your team. Stop wasting effort and start focusing your resources on addressing the most notable security flaws.
Or get the PRO service if you want grander detail and expert remediation guidance to help your team understand and prioritize the vulnerabilities. With True Positives you can avoid the staffing headaches everyone is facing and build your software—securely.
To get a free 1 on 1 AppSec consultation today, contact True Positives and start fortifying your AppSec today!