What’s the first thing you do when you are looking for security talent? Post a job on LinkedIn? Contact your internal recruiter or your external partner? It might surprise you to hear this from a recruiter but it's often prudent to start your search a little closer to home. In fact a CISO we spoke to in our recent CISO Survival Guide stated "Skills are important but given the shortage that exists it’s rare that you will find a candidate that has every attribute you are looking for. In such cases it’s often a good idea to develop from within where you’ll find people that know the business and know the stakeholders – that’s a great starting point."
With security professionals being difficult to find and becoming more and more expensive, one of the best options is looking at what talent you have internally and how you could invest in their transition to security. I spoke with the CEO of HackEDU, Jared Ablon a company who have created a software based training platform to transition your software developers into a more security-centric role.
He stated that security organizations are realizing that the cannot properly scale to meet their application security needs. So many organizations are moving towards a 'security champion' model and are empowering their developers. Security champions are the developers that think about security, ensure that standards are up to date and enforced, research new security requirements that may be needed, and evaluate security tools. This works best if it is voluntary rather than forcing people to be a part of it, in a lot of instances there are developers that are already excited about security. For this model to work both security champions as well as developers need to be empowered with training to help stop security vulnerabilities.
HackEDU provides hands-on secure development training that helps developers improve their ability to write secure software, boost their understanding of how software systems are hacked, and decrease the time to solve security related problems. In addition, the training helps meet PCI, HIPAA, ISO, and NIST compliance requirements.
HackEDU's training ensures developers learn both offensive and defensive application security training which is more engaging and proven to be more effective than defensive training alone. The lessons use real applications and content includes real public vulnerabilities. This training shows developers how attackers are looking at their code, the impact of the vulnerabilities, and provides real coding exercises to fix vulnerabilities.
Given the cost and time to hire for security professionals, as well as ensuring candidates are bought in from a cultural perspective, this is certainly an option to be weighed up when bringing in security talent.