The AppSec Dilemma: Investing in Education Amidst Mass Tech Layoffs

This article was originally published on Solutions Review.

From mass redundancies at Big Tech firms like Google, Meta, and Microsoft, to reducing teams in SMEs and small fintech startups, layoffs are impacting thousands of tech and cybersecurity workers. These professionals now face greater competition for fewer technical roles, while employers are left with the challenge of restructuring and retaining remaining staff. In this environment, investment in people has never been more important – in particular, investment in education. Without addressing the inevitable skills gap that comes with reducing the workforce, upskilling those now taking on more responsibility, and demonstrating a commitment to retained staff, it will be hugely challenging to deliver on customer promises or remain competitive whilst secure in a crowded market. This is especially pertinent for the areas of the tech industry that are currently under the most pressure, and companies who develop software for their own use or for their customers exist front and center of this issue.

The ‘AppSec Dilemma’ Amidst Layoffs

The dilemma facing those who develop software is one that has only been compounded by a market where businesses of all sizes are tightening their purse strings, laying off staff, and anticipating the inevitable change that comes with evolving technologies like AI. The problem is that those developing code are already over-worked – 83 percent of software developers feel burnout from their work – and a drive towards DevSecOps and shifting security left is piling on even more pressure for development teams, who may not even have the education or knowledge on how this is best achieved.

At the same time, threat actors are diversifying their approaches while the attack surface grows; critical vulnerabilities increased by 59 percent between 2021 and 2022. It’s therefore clear that baking-in security from the very start of software development is a must to ensure that vulnerabilities are proactively mitigated. Yet, with more skilled professionals being let go and teams running on a skeleton workforce, how can developers cover even more ground and become security experts alongside fast and innovative coders?

It is essentially the role of the industry to ensure their developers and everyone working across the software development lifecycle (SDLC) to support them are empowered with knowledge on how to protect the software supply chain.

Training and Collaboration in the Industry

The reality is only 62 percent of developers learn to code in college or university settings, and even then, not one of the top 50 undergraduate computer science programs requires a course in code or application security for majors, according to Forrester. While there are plenty of routes into software engineering, tech – and cybersecurity in particular – is incredibly fast-moving, so what is taught one month may well be outdated the next. Programmatic education and continuous secure coding training driven by industry is therefore a must, even in a time when the AppSec dilemma isn’t compounded by layoffs.

By upskilling developers and the SDLC team in areas like secure coding, employers not only invest in their teams’ career development and provide the essential skills and knowledge often not covered in traditional education settings like universities, but it is also an opportunity to encourage better collaboration. It’s not uncommon to see developers and security professionals at odds with each other – the former is driving innovation and wants to release code faster, while the latter prioritizes reducing vulnerabilities and only shipping software if it is secure. Yet this lack of collaboration is unsustainable within a smaller team and with a greater focus being put on DevSecOps.

In a reduced workforce, developers will become an integral cog in the secure coding machine to enable the security department to continue delivering secure software. Both teams need continuous education that allows them to bridge the divide, understand each other’s pain points, and recognize how best they can communicate and compromise with the aim of creating the best product or service. A good starting point is to nominate a security champion within the development team, who can own all activities and opportunities regarding secure coding education programs, as well as drive partnerships and projects between the security team and the development team.

Ultimately, businesses should want to invest in their staff. By doing so in a way that bolsters cybersecurity resilience, they not only position themselves as worthwhile organizations to remain employed with, but also weather the storm often brought by layoffs and restructuring while not sacrificing security. Layoffs are a necessary evil in a challenging economic environment, yet at the same time, skills in secure coding have never been more valuable. Considering the current AppSec dilemma that has even fewer professionals in place to solve it, investing in continuous training to boost skills and collaboration across the SDLC is now non-negotiable.