Linux Foundation Shares Framework for Building Effective Cybersecurity Teams – Source: securityboulevard.com

The Linux Foundation this week made available a customizable reference guide intended to help organizations identify critical cybersecurity skills requirements.

Developed in collaboration with Open Source Security Foundation (OpenSSF), the Cybersecurity Skills Framework defines roles and responsibilities across a wide range of IT and cybersecurity roles and functions, including tasks that should be assigned to application developers, DevOps engineers, project managers and platform architects.

The Linux Foundation is encouraging organizations to adapt and extend the framework to their own requirements, with updates based on feedback provided to be made annually.

Clyde Seepersad, senior vice president and general manager of education for The Linux Foundation, said many organizations not only lack a firm understanding of not just the total scope of their cybersecurity requirements, but many of them are also not entirely sure who within their organization should be responsible for performing them.

As a result, many of them are also unclear about what skills are needed for specific roles, he added. For example, a recent The Linux Foundation survey finds 64% of organizations report candidates lack essential skills, and it now takes an average of 10.2 months to hire and onboard new technical staff.

Even with the rise of artificial intelligence (AI), there is still no substitute for actual domain expertise, noted Seepersad.

Christopher Robinson, chief architect for the OpenSSF, said the issue is especially acute when it comes to application security. There is a clear need to embrace DevSecOps practices to better secure software supply chains, but many cybersecurity teams don’t always understand what’s required to fix a vulnerability in an application, especially if that issue involves open source software that was provided by a third-party maintainer of a project that doesn’t official work the organization.

The maintainers of those projects are not under any obligation to provide an immediate patch for any zero-day vulnerability that might be discovered, he added. In fact, The Linux Foundation report notes that 62% of open source project stewards lacked dedicated personnel for security incident response. On the plus side, 74% do have in place some formal cybersecurity reporting mechanisms.

Hopefully, the Cybersecurity Skills Framework will also enable organizations to better allocate limited resources. A Futurum Group research report projects the cybersecurity market is forecasted to grow at a compound annual growth rate (CAGR) of 11.6% from 2024 to 2029 to reach $287.6 billion in revenue as investments are spread across multiple classes of technologies and solutions.

On the plus side, a survey conducted by Checkmarx notes that more responsibility for application security is being shifted to other units within organizations, which should serve to improve security in a way that might reduce total costs.

Regardless of approach, it’s clear there is a greater appreciation for cybersecurity. The challenge is turning that appreciation into actual resolve that makes the organization more secure. Otherwise, the cost of cybersecurity will only continue to increase in a way that will inevitably lead to uncomfortable return on investment (ROI) conversations later.