Why humans remain vital for effective cyber security

Many people fear the combination of robotic machines and artificial intelligence will see unemployment queues rise and many jobs disappear.

Similar fears have been expressed in the field of software development. The concern is that roles traditionally carried out by programmers will be undertaken by increasingly sophisticated tools.

However, while technological tools remain critical to software development, they also have limitations. Software development has become equal parts art and science with a skilled, trained developer able to complement static tools and add key value beyond a solely robot-led approach.

There is a critical human element to cyber security. It is one that can take insights from active users, their own experience, and the priorities of their organisation to rethink security. Humans must play a vital role in security, expertly leveraging tools but also applying contextual intuition and experience to improve security posture.

Tools provide limited scope, reactive technology

The rapid software development life cycle has often made security an afterthought, and applications too, often ship with known vulnerabilities. To repair these gaps, other developers participating later on in the life cycle rely on tools that provide great utility, but often respond reactively to threats and address security after the fact. Some of the most commonly used tools can only offer limited protection. They include:

• Vulnerability scanners: These applications take an inventory of technology assets and then check the operating system against a database of known vulnerabilities. While a critical component of cyber defense, vulnerability scanners can only find known threats and remain susceptible to new attack vectors. There is no single scanner that is a catch-all, and they can be notoriously slow, bogging down the security team in false positives and negatives that demand meticulous sorting.
• Software bill of materials (SBOM): This provides an inventory of a codebase, including open-source components and licence and version information. Like vulnerability scanners, these tools check against known vulnerabilities, leaving them open to new types of attacks. They can also be a challenge to keep updated and require significant time from already overworked development teams.
• Jira Software: Originally an issue tracker, Jira is a work management tool that allows developers and IT teams to identify and track coding issues as they build software. This method tends to be reactive and relies on users to identify, research, and resolve problems.
• Embold: This tool allows you to manage and monitor the quality of software projects. It works as an aid to help developers write clear code using artificial intelligence. However, Embold creates generic applications that might not have the depth of security and features that an organisation desires.

Security-skilled developers using a proactive approach make bigger impact

VIEW ALL

The tools listed above all work on a reactive basis. This is where developers can provide real value. They do not need to wait for a breach to expose threat information to take action. Developer teams can build in proactive security controls that shift with emerging threat trends.

Developers can play a key role in their organisation’s security maturity. When properly aligned, development teams and their organisations can work toward a continuous cycle of improvement to stay ahead of evolving threats. This process ensures they keep pace with evolving threats and minimise the risk of an exploit in the code and software being shipped.

Developers are better positioned than anyone to scrutinise vulnerabilities in reused or existing code, along with being a meaningful contributor to defining a secure code standard. Properly trained developers who understand how to build security into the software development lifecycle are as valuable, if not more so than the machines and applications supporting the business operation.

While tools certainly have value and remain a must-have, they cannot become the only focus in an organisation looking for a more holistic, defensive, and modern approach to cyber security. These tools provide a limited view, but developers can fill the gaps through their experience and proper knowledge. They can contribute to a security-centric culture and provide long-term value to an organisation’s security posture.

Important next steps

The bottom line is that there will continue to be strong demand for skilled software developers. With the pace of digital transformation showing no sign of slowing, large numbers of jobs will need to be filled within thousands of organisations.

However, developers need to understand the importance of keeping their skills current. Ongoing training will be required to ensure they understand the latest techniques and can take advantage of rapidly evolving technologies.

This is particularly important when it comes to security. Tools can help get the job done, but there will always be a role for humans.

Matias Madou is the co-founder and CTO, Secure Code Warrior.