Claire’s post — est. reading time: 13 min

DevSecOps promises a world where security is no longer bolted on at the end of development, but integrated into every step of the software lifecycle. It demands a blend of engineering fluency, security expertise, and operational awareness—a unified mindset across what have traditionally been separate domains. Yet most organisations still operate in functional silos. Developers write code. Security audits after the fact. Operations keep systems running. This separation has become a source of growing risk, as the gap between disciplines widens in the face of rapid digital delivery.

The result is a significant skills gap—one that technology alone cannot solve. Security professionals often lack visibility into CI/CD workflows or infrastructure-as-code practices. Developers frequently have little exposure to secure design principles or common exploit patterns. Meanwhile, operations teams may carry the burden of incident response without a deep understanding of the threats they're trying to mitigate. In a DevSecOps world, this disconnection undermines the very agility that organisations strive to achieve.

When Silos Fail: A Costly Example

A global media company recently experienced the consequences of this gap. In the rush to deliver a new digital payments feature, the development team integrated a third-party API. The security team was not consulted during the build, nor was the API reviewed prior to deployment. Unfortunately, the API’s authentication model had a flaw. It introduced a race condition that allowed malicious actors to bypass transaction limits—effectively enabling fraud at scale.

The vulnerability wasn’t caught in testing, because the security team didn’t even know the integration had occurred. The developers, focused on functionality, assumed risk was being managed elsewhere. The security team, preoccupied with other priorities, assumed nothing critical had changed. What failed was not a specific tool or policy—it was the lack of shared understanding. In many ways, it was the skills gap made visible.

Security is a Human Capital Challenge

For business leaders, the DevSecOps skills gap should not be viewed solely as a technical deficit. It is a human capital challenge. Organisations cannot build secure software if the people designing and delivering it do not understand the threat landscape. Likewise, security professionals cannot offer meaningful input unless they are conversant in the tools, workflows, and priorities of the development lifecycle. The disconnect is mutual, and closing it requires more than hiring “unicorn” talent. It requires targeted, structured, and sustained investment in learning.

Developers, for instance, do not need to become security experts. But they must learn how attackers think. They need to understand what makes code vulnerable, how seemingly minor missteps can be exploited, and why secure defaults matter. This training should be contextual, lightweight, and integrated into their everyday work—not delivered as an annual compliance module or a generic online course. Conversely, security professionals need hands-on familiarity with version control systems, container orchestration, and modern deployment strategies. Without this fluency, their recommendations will continue to feel out of step with delivery realities.

Building Fluency Across Functions

The answer is not to flatten roles or expect every practitioner to master everything. It is to build bridges of understanding—fluency rather than expertise. Cross-training initiatives are one proven path. Security champions embedded within engineering squads help raise awareness and act as first responders for common security concerns. Shadowing programmes and knowledge exchange sessions create opportunities for teams to walk in each other’s shoes.

Shared retrospectives, brown-bag learning sessions, and collaborative threat modelling exercises foster a culture of collective accountability. These are not luxuries—they are investments in reducing the frequency and severity of security incidents. When teams understand how their choices impact one another, they naturally begin to coordinate more effectively. Over time, secure development becomes not just a practice, but a principle embedded into the organisational culture.

Leadership’s Role in Closing the Gap

From the boardroom to the squad room, closing the DevSecOps skills gap requires intentional leadership. Executives must signal that security is everyone’s responsibility—not just the remit of a single department. This starts by funding education. Security training should be available, accessible, and tailored to the specific needs of different teams. It should be included in onboarding, reinforced regularly, and evaluated in performance reviews.

Moreover, time must be made for teams to learn. Expecting engineers to self-educate “on the side” is unrealistic. Leaders must allocate capacity for training, experimentation, and collaboration. Security skills should be framed as part of technical excellence—not as a distraction from it. The organisations that get this right treat secure delivery as an outcome of empowered people, not enforced policy.

From Vulnerability to Strength

Bridging the DevSecOps skills gap is about more than reducing the likelihood of a breach. It’s about unlocking the full potential of integrated, high-velocity delivery. When teams understand each other’s domains, they build with greater confidence. They fix issues earlier. They innovate more safely. And they respond to threats with cohesion rather than confusion.

For business leaders, the takeaway is clear: this is not optional. Attackers are betting that the skills gap will remain. That development will move faster than security. That operations will pick up the pieces. Investing in upskilling is not just a workforce strategy—it’s a security control in itself.

A Final Thought

The DevSecOps skills gap is real, but it is solvable. Not by waiting for talent to arrive, but by nurturing it from within. By creating pathways for developers to become more security-aware and for security professionals to become delivery-literate, organisations can transform what is now a point of friction into a source of resilience.

Because at the intersection of security and speed, knowledge is the key to sustainable success.