DevSecOps: how automation is changing cyber security hiring

It’s no secret there is a global cyber security skills shortage. Recent research estimated nearly 3 million professionals are needed worldwide to plug the skills gap, with 500,000 cyber security employees needed in North America alone.

Nearly three-quarters (73%) of IT security functions in the US say they are understaffed, more than both the UK (70%) and APAC countries (67%). Understandably, employers are looking for new ways to fulfill their cyber security needs.

The DevSecOps framework is becoming increasingly popular, for example. A combination of development, security and operations, this methodology is a natural progression from DevOps, which was designed to ensure software development and IT teams work together to build, test and release applications faster and more reliably.

DevSecOps goes a step further by also embedding security practices into development and operations processes from the outset. The idea is to encourage teams to consider security at every step of development, rather than just as an afterthought.

DevSecOps and security automation

Automation is a fundamental part of DevSecOps. Gartner figures forecast that 70% of DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages by the end of this year. In 2015, this figure stood at less than 10%.

The Ponemon Institute found that US organizations are already at the forefront of automating cyber security processes; 79% of IT departments said they already use automation or plan to within the next three years. The three most commonly automated activities are malware analysis (50%), log analysis (47%) and threat intelligence (41%).

“Within just one year, the perspective around adoption of automated technologies has notably shifted among security professionals,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“Contrary to the popular belief that the rise of automation will threaten the job market, organizations now feel these technologies will help ease the current strain on resources, and offer the potential to promote job security for highly skilled staff, while strengthening cyber security defenses.”

A shift in hiring focus

So, what impact is this drift towards automation more generally – and DevSecOps specifically – having on hiring? Well, we’re seeing a very noticeable trend of organizations seeking candidates who have software development experience as opposed to pure security-focused backgrounds.

Programming languages such as Python, JavaScript, PHP, SQL, Bash, C and C++ are increasingly sought-after, as script-based security processes become more common. Automation tools like Red Hat Ansible and Puppet Enterprise are also frequently used within DevSecOps environments, so businesses are keen to attract talent with experience of using these platforms.

Overall, employer appetite for recruiting programmers and developers into security roles is high. Candidates who have already been working in a hybrid DevSecOps-type position are ideally placed to take advantage of this trend.

That said, DevSecOps is a relatively new phenomenon, which means quality applicants with these diverse backgrounds are in short supply. As a result, demand is extremely high, especially among technology and fintech employers.

We only expect these trends to become more pronounced as a growing number of organizations take on DevSecOps practices. Gartner recently predicted these practices would be embedded in 80% of development teams by 2021 – up from just 15% two years ago.

What do these trends mean for candidates?

A recent survey revealed 71% of DevOps professionals feel their team does not have adequate knowledge of DevSecOps best practices yet, and half are struggling to find the right talent for their security analyst teams.

The most obvious takeaway for candidates is that security professionals who have programming capabilities or DevSecOps experience could have multiple job offers open to them if they choose to switch roles.

Employers are also happy to recruit applicants who come predominantly from software development backgrounds, which creates opportunities for anyone considering a career shift from coding into a more security-focused role.

But what about security professionals who don’t have programming experience? Now could be the time to start upskilling in these areas. Whatever the form, automation isn’t going away anytime soon.

Taking courses or gaining qualifications in key programming languages and automations tools is therefore advisable for candidates. In addition, a growing number of business functions are moving into the cloud, so AWS Certification and other cloud qualifications will help security professionals stand out during the application process.

Preparing for the future of cyber security

The world of cyber security is moving fast, and both businesses and candidates must keep pace with ever-evolving trends to ensure they don’t get left behind.

Increasing automation means security professionals will be expected to have a better understanding of coding and software development than perhaps has previously been the case. DevSecOps practices are also likely to become the norm in many tech-oriented environments. Deloitte predicts the next 18 to 24 months will see working knowledge of DevSecOps grow markedly among CIOs and development leaders.

Ultimately, finding the right talent is always a challenge, and employers face even more difficulties in professions where there are already widely reported skills gaps, such as cyber security. Meanwhile, there has never been a better time for security professionals who possess the right combination of skills and experience to advance their careers.

At Barclay Simpson, we specialize in the information and cyber security market, enabling us to stay abreast of the latest hiring trends and match the best employers and candidates together. If you are looking to expand your security teams, or are a professional considering your next career move, please contact me today on +1 646 578 8940 or via email at

Image credit: StockSnap via Pixabay