When auditing your software supply chain security, it’s important not to forget building and maintaining the job skills of your software supply chain security team. Building skills amongst your software supply chain security team and setting expectations for skills and experience amongst your supply chain vendors is a prudent investment as you prepare for a potential attack in your future.
Here are some job skills to build and refresh amongst your technology teams and vendors who make up your software supply chain:
1. DevSecOps
The agile nature of the software supply chain combined with the operational complexities necessitates people with DevSecOps skills and experience.DevSecOps brings your security team and tools into the DevOps life cycle. Designating DevSecOps as a desired job skill for your software supply chain internal and vendor teams also gives your teams a common framework, operational expectations, and terminology that can help improve operations across your supply chain.
Building upon and validating DevSecOps skills is still a nascent activity. There are few industry certifications right now for DevSecOps. The DevSecOps Foundation certification from The DevOps Institute is one certification you can have your software supply chain team members pursue to level set DevSecOps skills across your teams and vendors. If DevSecOps certifications aren’t workable because of timing and availability, then consider the DevSecOps courses on learning sites such as LinkedIn Learning, Cloud Academy, or A Cloud Guru.
Another option for DevSecOps skills training is to create your own internal training program for all engineers and architects involved in your software supply chain. Your team members who are in charge of software supply chain security need to partner with every vendor team that touches any part of your product during the DevSecOps life cycle to validate that security is an integral element of the vendor’s software delivery organization’s tools, processes, and culture.
2. Oral and Written Communication (Soft Skills)
Securing the software supply chain of today requires that all the participants have soft skills. Relationship building is critical behind the scenes of software supply chain security as you often have to interact with executive decision-makers, management stakeholders, and counterparts on their vendor teams.
Extending the need for soft skills outside your own enterprise, dealing with vendors and suppliers across your supply chain in times of regular business and crisis situations requires strong oral and written communications skills and even empathy.
Building up soft skills takes practice. While there are various online platforms that offer soft skills training, sometimes the best training is having your managers and team leads set the example so you establish a culture where soft skills are seen as a benefit and not a weakness.
3. Analytical Skills
Software supply chains add additional levels of complexity to software delivery. With more complexity comes more opportunities for things to break down at points across your software supply chain.
Building up analytics skills on your teams can take a couple of forms. Most commonly, it’s thought of as a personal learning pursuit. However, DevOps teams have the advantage of using retrospectives and post-mortems to showcase the analytical thinking skills of their senior team members. These meetings also give you the opportunity to put a structure or framework around troubleshooting and analysis.
4. Cloud Architecture
As the cloud is playing a predominant role in the software supply chain, it’s time to make wise staffing investments in cloud architects. Yes, cloud architects are an in-demand role, as Google shows in their use of trusted cloud computing to secure their own software supply chains.
While Google is an extreme example of how cloud architecture skills play into a software security supply chain security, cloud infrastructure is a growing attack vector. You want to have that skill set in your organization. It’s also a skill set you want across your vendors.
Cloud architecture is an in-demand job skill. Fortunately, cloud architect training options abound. Each of the major cloud services providers has solution architect certifications. Your employees and partners can take the training and even their certification tests online.
5. Documentation
You can’t run a software supply chain with its needs for processes, frameworks, and policies on oral history, email inbox, or Slack channel alone. You need to create a documentation culture with the job skills to go with it. Outside of the security requirements, you place in your vendor contracts and RFPs, written documentation is necessary to help educate your vendors about the standard security practices they must follow to remain a vendor in good standing for your software supply chain.
For example, a best practice is for vendors to document their software and hardware design and build processes to ensure the processes are repeatable and measurable. Such documentation should already be part of the cost of doing business if your product must meet compliance standards such as FedRAMP, Sarbanes Oxley (SOX), or the Health Insurance Portability and Accountability Act.
Building documentation skills isn’t about throwing contract technical writers to write some documentation for your supply chain as part of a rapid-fire one and done project. Rather, documentation needs to become part of team member jobs and vendor requirements. Options for building documentation skills:
- Embed technical writers or editors amongst your teams to act as writing coaches for technical staff tasked to document the systems and processes they support
- Create documentation templates for the major document types you require from vendors and provide job aids and documentation kickoff meetings and follow up support
- Showcase examples of well-done documentation in team and vendor meetings
Final thoughts
As your teams work to improve their support of software supply chain security you’re going to encounter many judgment calls. The job skills in this blog post, all have one thing in common. They all require continuous learning in order for your internal teams and vendors to be successful. As the software supply chain becomes the latest attack vector for nation-state and other attackers, it’s in your best interests to give your teams and vendors the tools they need to succeed.