Janet's post — est. reading time: 6 minutes

As organisations adopt DevSecOps practices, a recurring challenge emerges: the skills gap. While DevOps transformed development and operations, adding security into the mix requires a workforce with hybrid expertise that is in high demand but short supply. Companies often struggle to recruit and retain professionals who understand coding, infrastructure, cloud technologies, and cybersecurity simultaneously. This gap can slow down transformation, increase risk, and lead to a reliance on tools without the human insight necessary to manage complex threats.

Security skills are often scattered across different teams. Developers may lack awareness of secure coding practices, operations teams may not fully grasp application-level vulnerabilities, and security specialists may not understand CI/CD pipelines. The result is a fragmented approach where security is either an afterthought or overly rigid, stifling innovation. A clear example comes from a large financial services firm that attempted to “shift left” without proper training. Developers were expected to identify vulnerabilities without prior experience, leading to false positives, delayed releases, and frustrated teams.

Addressing the DevSecOps skills gap requires a multifaceted approach. First, organisations should prioritise cross-training: developers learn security fundamentals, security professionals gain insight into application architectures, and operations teams understand secure deployment. For example, a global e-commerce company implemented a structured rotational programme where developers spent time in the security team, and vice versa. Over six months, vulnerability detection improved by 40% and deployment times accelerated. Second, hiring strategies must evolve to value hybrid skill sets and potential over traditional titles. Offering apprenticeships and internal upskilling programs helps cultivate a pipeline of talent attuned to the organisation’s specific technology stack and risk posture.

Third, organisations must create a culture of continuous learning and collaboration. Security knowledge should be embedded into daily workflows, from code reviews to release approvals. Incorporating pair programming, threat modelling sessions, and security-focused gamification can enhance engagement and retention. Finally, leadership support is essential: allocating time for training, recognising security contributions, and integrating metrics for security competence ensures that the investment in people is sustainable. Companies that ignore these steps risk deploying tools that nobody knows how to leverage fully, creating false confidence and leaving critical vulnerabilities unaddressed.

In an era where cyber threats are increasingly sophisticated, bridging the DevSecOps skills gap is not optional. It is a strategic imperative that aligns talent, processes, and technology. The organisations that succeed will be those that see security as an integral part of engineering, not a separate compliance checkbox. What steps are you taking today to ensure your team can meet the security demands of tomorrow?