The global challenge of achieving cyber resilience

Faced with a rapidly evolving cyber threat landscape, governments throughout the world are focusing efforts on improving their levels of cyber resilience.

In Australia, the 2023-2030 Cyber Security Strategy calls for a whole-of-nation approach to making the country “a world leader in cyber security by 2030”. Meanwhile in the UK, the government’s Cybersecurity Strategy points out that its viability as a cyber power depends on cyber resilience and sets a goal of “the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.”

Other countries are following a similar path with support and guidance being offered by the Cybersecurity Futures 2030 initiative. In the United States, the most recent US National Cybersecurity Strategy set goals only for 2024 and 2025.

However the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design initiative, launched in April 2023, promotes adoption of many of the same cybersecurity best practices being pursued by other countries.

Concerningly, 2030 is only five years away, and cybersecurity efforts — whether national, international or specific to organisations — still face many of the same barriers that have always hampered comprehensive security. For this reason there remains a question mark over whether countries will be able to meet their 2030 goals.

Resource limitations and increasing complexity

The barriers to effective cybersecurity include familiar suspects such as budgetary and resource limitations, the increasing complexity of modern systems and challenge of keeping up with rapidly evolving cyber threats.

However, topping the list of challenges for many organisations is the ongoing shortage of cybersecurity skills. A recent Cybersecurity Workforce Study from ISC2 found that, although the size of the global cybersecurity workforce increased to 5.5 million workers in 2023 (a rise of 9% over a single year), so did the gap between supply and demand, which rose by 13% over the same period.

Unfortunately, it’s more than just a numbers gap. The study also found that the skills gap is an even greater concern, with respondents saying the lack of necessary skills was a bigger factor making their organisations vulnerable.

It’s clear the current approach is flawed. The grand plans that governments have for cybersecurity will require significant uplifts to security programs, including major improvements in developer upskilling, skills verification and guardrails for artificial intelligence tools.

Organisations also need to modernise their approach by implementing pathways to upskilling that use deep data insights to provide the best possible skills verification. They need to manage and mitigate the inherent risks that developers with low security maturity bring to the table.

The need for better developer risk management

A recurring element in the 2030 cybersecurity plans outlined by governments is the importance of ensuring that organisations and people can trust digital products and software. If they want their plans to succeed, governments need to set an example for both industry and public-sector organisations to follow.

Developers with the skills needed to create secure code (as well as correct any insecure code created by AI assistants or supplied by third parties), have been shown to substantially reduce the number of software vulnerabilities.

Being able to stop vulnerabilities at the start of the development process also saves time and money on software fixes which, according to industry research can take 15 times longer if done at the testing stage and up to 100 times longer if left until after a program is deployed. Ultimately, secure practices advocated by CISA's Secure by Design and other initiatives increase developer productivity, improve the SDLC workflow and spur innovation, while at the same time reducing risk.

An effective program would provide ongoing, hands-on education in real-world scenarios delivered in a way that accommodates developers’ work schedules. It would establish the baseline skills developers need, and use internal and industry benchmarks to measure progress and identify those areas that need improvement. It should also be designed so that it can evolve alongside the threat landscape.

Finally, it’s essential that organisations are able to prove that the upskilling program has succeeded by effectively measuring outcomes.

Managing developer risk via upskilling and education isn’t the only step that both organisations (and nations) need to take, however it is a key foundation for creating a robust culture of security.

Overcoming the barriers

For security leaders around the world to keep pace with both emerging technology and threats, they must finally overcome the barriers that have traditionally been faced — and the skills shortage is perhaps the biggest of those barriers.

Developers skilled in secure practices and working in tandem with security teams rather than separately, can bring security into the earliest stages of the SDLC, where fixes are easiest to achieve.

However, this goal will not be achieved unless developers have the key software security knowledge and skills that they require. Focusing on closing the existing skills gap should be high on the to-do list for all CISOs and CIOs.

*Pieter Danhieux is Co-Founder and CEO of Secure Code Warrior.

Image credit: iStock.com/Alex Cristi