With 16+ years in cybersecurity, Édouard Viot, CTO of Symbiotic Securityis a hacker at heart and an innovator in AppSec, WAFs and EDR.
The answer is: you don’t—because you don’t assess it during interviews.
It’s not uncommon, and it’s not something to be ashamed of. Assessing a developer’s skills in the limited time you have during an interview is incredibly challenging. You need to cover a range of topics: problem-solving, system architecture, design, teamwork, algorithms, clean and maintainable code, and more.
Cybersecurity often takes a backseat because it can take time to assess properly.
As a result, when a new developer joins your engineering team, you likely have no clear understanding of their ability to write secure code. The reality is that most organizations never formally assess the security skills of their engineers.
Instead, security issues are often uncovered later, during code reviews with more senior developers, or when your CI/CD security tools flag problems.
Current Challenge
Relying solely on CI tools isn’t enough to address this gap. While they are useful and should be part of your process, they won’t solve the underlying security issues in your software. The main reason is that these tools aren’t educational. They don’t help engineers understand the root causes of security vulnerabilities—they just fix or suppress issues to get the feature deployed.
Cybersecurity is often viewed as a skill that can be acquired, and that’s true. But in order to impart those skills to employees, what tools or processes are in place? Are you approaching it in a way that ensures engineers are actually building this skill as opposed to simply checking?
How To Fix It
Here’s what you should do as a CTO:
• Incorporate cybersecurity into your career ladder.
If you want to see progress, you need to set clear objectives. This touches on the transparency portion a bit, but there should be clear and understood security milestones that the employee knows they need to hit to advance as a developer.
Let’s look at the junior and lead developer positions, as examples. The expectation for a junior-level developer should be to simply understand a concept when it’s explained to them. The lead developer, however, should already have an understanding of security concepts and established security habits.
Using my own experience as CTO, I ask developers to write a feature from scratch during the interview process. My expectation for a lead developer is to understand and preempt what leads to something being insecure within, for example, an algorithm or other script or code.
A junior-level developer can make those same mistakes but understand when I point it out, have a willingness to correct it and be enthusiastic about gaining further understanding of the problem. Since the lead developer is going to be reviewing the code of the junior developer (among other things), I need to know that they understand what they’re looking for.
• Assess security skills regularly.
This isn’t about pointing fingers; it’s about helping people grow in their careers. To that end, there should be transparency throughout the process in terms of timing—such as key milestones in employment and scheduling assessments—and expectations, including what the individual is expected to know, how they should demonstrate their knowledge and how they can learn and practice effectively.
• Provide ample time and the right resources for training.
People need the right tools and space to learn properly. If advancement hinges on this knowledge, then it is incumbent on the management team to ensure the tools and education that aid in these achievements are made available. A program that provides digestible training courses with real-world context and hands-on challenges ensures effective knowledge transfer.
• Tailor the training.
Ensure that engineers are learning actionable skills and not wasting time on things they already know. Training should be individualized and laser-focused on what each person needs—not solely for career advancement that might be realized some time down the road, but to enable them to complete the task they are working on this week, or even today.
For example, is the training in the programming language they’re using? How does it relate to their current project? Is it referencing a vulnerability they just created, another in their workspace or one randomly generated? Understanding the developer’s context with a security program that works with and for them increases security adoption and knowledge.
As the industry continues to shift left and decentralize risk management responsibility, more and more of that responsibility has fallen (and will fall) to developers. To that end, it is extremely important to bake security fundamentals into developers’ career ladders to better help them grow within the company and throughout their careers.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
