Organizations wait to implement security solutions for a variety of reasons. One that we often hear is that they’re looking to land that security expert to help them make all the right product selections and correctly implement and maintain the solutions they choose.
This would be great in a perfect world. These organizations would make that hire, buy those products, and start improving security.
Unfortunately, there’s a big gap between the ideal world and the one we actually operate in.
The Market Is Hot
Software security, both on the vendor and the practitioner side, is an incredibly hot market right now, and those who have the skills you’re looking for typically have multiple opportunities in front of them. This has led to a large talent drought even in cities like San Francisco. In a recent study, 82% of the respondents cited a lack of cyber security skills within their organization. Cyber-security talent with software engineering experience is even rarer. They are the unicorns of unicorns. If you wait for the right person, you may be waiting forever.
You Don’t Need to Wait
But it’s not an all or nothing situation: you can do a number of things today to add security to your organization without having a dedicated security role in place. Many systems can give practical guidance on improving your security posture without requiring someone with years of experience in a cyber-security discipline. Using a system like AWS Config Audit, you can quickly evaluate your current security posture, compare this to best practices (including CIS AWS Foundations Benchmark), and then go on to identify and prioritize steps for remediation. (For more about Config Audit, read this.)
Invest in Security Now
There are two schools of thought on cyber-security in development. It is either an investment at the beginning of the development cycle or a tax at the end. Investing in security at every stage of your development, and at every point in your organization’s growth ensures that your hard work and hard-fought wins won’t be undermined by something that could possibly have been easily prevented.
Don’t Accumulate Security Debt
In previous posts we’ve spoken about technical debt and the best ways to handle it. Much like technical debt, security debt can’t be postponed indefinitely. There will always be ways that you can add security, but if you don’t start with the building blocks and implement as you go, the payment at the end may be substantial and force you to make revisions that slow down releases and impact your ability to deliver great features to your customers.
Get Started Today
If you take nothing else away from this post, keep in mind that you can do things right now to improve your security posture. These include everything from developing a culture of security in your organization, to implementing best practices throughout your development process. The trick is to make security a part of everything you do from introducing yourself to visitors in your building if you don’t recognize them to implementing the latest software patches.
Effective security is never up to one person. Make it a distributed process and a shared responsibility — and don’t wait for that ideal hire to appear.