AppSec is not just tech skills!
Secure application development has become increasingly important. The shift from desktop applications to web and mobile and the rise of web APIs have expanded the attack surface.
More and more companies invest in secure software development to keep up with the ever-evolving threat landscape. They have introduced methodologies like DevSecOps to integrate and automate security at every stage of the software development lifecycle.
Successful implementation of such a methodology requires people with specific skills. However, the DevOps skills survey from 2017 shows that such profiles are hard to find. Training can reduce the skills gap, but almost 7 in 10 developers said their organisations fail to provide adequate security training. While technical skills are essential, a recent survey by ISACA shows lack of soft skills is currently the biggest problem.
In this article, I will highlight some crucial soft skills and explain how they benefit individuals and contribute to better security, growth, and success for companies.
The role of communication
As security impacts people across different departments, effective communication is crucial to improve the security posture and overall success of the business.
What are the secrets of successful communication?
Preparation is key. Choose the best communication type and channel. Opt for two-way over one-way communication whenever possible. It can boost efficiency, and it permits direct feedback and clarification.
Also, tailor your message to the recipient and align it with their goals. For example, if you need buy-in or budget approval from management, do not focus on technical details but explain how the proposed solution benefits the business. If cost savings is one of the company goals, demonstrate how your application security will support that goal.
Don’t make assumptions but ask. And even more importantly, listen to the other party. Keep in mind that every communication is an opportunity to build lasting relationships.
Empathy and pragmatism for better communication and problem-solving
Whatever we try, sometimes it seems impossible to find a solution that suits the involved parties. We might perceive them as unwilling. But what if the problem wasn't with them? What if it was our lack of empathy that made them act defensively?
What is empathy? According to the Cambridge dictionary:
"The ability to share someone else's feelings or experiences by imagining what it would be like to be in that person's situation."
Empathy can make problem-solving easier.
“When you show deep empathy toward others, their defensive energy goes down, and positive energy replaces it. That’s when you can get more creative in solving problems.” – Stephen Covey
领英推荐
In secure application development, we can use empathy to create better software and boost customer satisfaction.
Let’s take as an example a product team that rolls out two-factor authentication (2FA). To improve the security of their customers, they decide to enforce 2FA as a mandatory feature. Numerous customers get stuck because they are not technically skilled, and the helpdesk gets flooded with support requests.
This outcome was preventable if the team had designed this feature with empathy for all stakeholders. They could have implemented a more pragmatic solution that supports multiple authentication journeys and incentivises customers to enable 2FA rather than oblige them.
Decision-making
In application security, we use our decision-making skills every single day. The decisions we make regarding the security of our applications can have serious consequences. What if we incorrectly decide that a particular application security risk is not a threat to us? Or what if we implement a security control that generates a lot of helpdesk calls and even makes us lose customers?
Decision-making is not always easy. It requires several other skills, like:
·??????Strong communication skills are crucial if your team members' opinions or expertise are required.
·??????Analytical thinking skills are necessary to process all information available and come to a balanced solution. You'll often need to prioritise and make decisions with the highest impact. Maybe you can't fix a vulnerability straight away because of a lack of capacity but putting the application behind an application firewall mitigates the problem and buys time.
How to build a strong application security team
A successful application security team needs a mix of technical and soft skills. While companies have been trying to close the hard skills gap via training, there has been less focus on soft skills. For many companies, the lack of soft skills is one of the most urgent problems to solve. To do so, companies adapt their recruitment process but candidates with the desired skills are hard to find. Training employees on soft skills is also an option, although hard to accomplish.
Hiring for attitude is a great way to circumvent the recruitment problem while building a successful application security team. Start with building a team with good soft skills but relatively low technical skills and augment them with technical skills on an as-needed basis.
Running an application security champions program improves application security by cultivating a security culture. In their SANS Security Awareness Summit 2022 talk, Madeline Howard and Sophia Adhami from Sage shared how their security champions program realised an 82% decrease in time to fix vulnerabilities.
Conclusion
Apart from technical skills, soft skills like communication, empathy, pragmatism, and decision-making are crucial for individuals to build a successful career in application security. More and more companies are looking for candidates that possess these skills. They understand that soft skills are indispensable to building a security culture necessary to improve application security.
Companies will benefit from training employees on the mentioned short skills. Even with training, mastering these skills takes time and practice. Luckily we can learn from the experiences of teammates and peers in the cybersecurity community. Resources like the Cyber Empathy podcast, in which people with different professional backgrounds share how they improve security by practicing empathy, are very valuable to speed up the learning process.
With soft skills being the solid foundation of your AppSec team, you can then develop the required hard skills. The?Veracode?DevSecOps approach?can help you instill secure coding practices?from the very beginning?across your organisation.?Don’t hesitate to reach out or to give a look to?our website?to discover more.