|
Conclusion
Cybersecurity professionals continue to manage their careers in a tactical manner with little long-term planning. Many cybersecurity professionals believe that their organizations need to do more to keep up with cybersecurity requirements.
|
网络安全专业人员继续以战术方式管理自己的职业生涯,几乎没有长期规划。许多网络安全专业人员认为,他们的组织需要做更多的工作来跟上网络安全要求。
|
The cybersecurity skills shortage seems to be getting worse, forcing overwhelmed cybersecurity professionals into constant firefighting. While the skills shortage will continue with no end in sight, this year’s research suggests that organizations could and should be doing more to address it.
|
网络安全技能短缺似乎越来越严重,迫使不堪重负的网络安全专业人员不断消防。尽管技能短缺将持续下去,而且看不到尽头,但今年的研究表明,组织可以而且应该做更多的工作来解决这个问题。
|
Takeaways for Cybersecurity Professionals
|
网络安全专业人员的要点
|
As with past reports, cybersecurity professionals—especially those in the early stages of a cybersecurity career or individuals seeking to enter the field—should use this research for career planning. Therefore, cybersecurity professionals should:
|
与过去的报告一样,网络安全专业人员,尤其是那些处于网络安全职业早期阶段的专业人员或寻求进入该领域的个人,应该将这项研究用于职业规划。因此,网络安全专业人员应该:
|
Start networking, keep networking. Survey respondents recommend that entry-level security professionals join a professional organization as a means for getting their first job. The data also shows that professional organizations act as a catalyst for job hunting, career development, and continuing education. Taken together, the ESG/ISSA research demonstrates that professional organizations can help throughout a cybersecurity career, paying dividends on time and money invested. ISSA itself is a good choice, but the data seems to indicate that cybersecurity professionals will benefit from other regional, industry, and professional organizations.
|
开始联网,保持联网。调查受访者建议入门级安全专业人员加入专业组织,作为获得第一份工作的一种手段。数据还显示,专业组织是求职、职业发展和继续教育的催化剂。总而言之,ESG/ISSA的研究表明,专业组织可以在整个网络安全职业生涯中提供帮助,按时支付红利和投入的资金。国际社会保障协会本身就是一个不错的选择,但数据似乎表明,网络安全专业人员将从其他区域、行业和专业组织中受益。
|
Resist certification loading—it doesn’t pay. After five years of research, it’s clear to ESG and ISSA that a CISSP and a few limited other certifications can be valuable building blocks for a cybersecurity career. Others may look good on a resume or business card, but cybersecurity professionals consistently claim to get far more out of hands-on experience like internships, mentoring programs, or staff rotation. Security certifications should be consumed for specific use cases, to meet job requirements, or to augment on-the-job experience period.
|
抵制认证加载 — 它不付钱。经过五年的研究,ESG和国际社会保障协会清楚地认识到,CISSP和其他一些有限的认证可以成为网络安全职业的宝贵基石。其他人可能在简历或名片上看起来不错,但网络安全专业人员一直声称可以从实习、指导计划或员工轮换等实践经验中获得更多收益。安全认证应该用于特定的使用案例,以满足工作要求或延长在职经验期。
|
Make a personal commitment to skills development and training. On an average year, cybersecurity professionals are expected to get about 40 hours of training. This year’s research revealed that 54% of those surveyed reported having more than 40 hours of training in the past year, 24% have had about 40 hours of training, and 21% have had less than 40 hours of training. This data seems positive, but ESG and ISSA also found that many hours of “training” are really used as a means for fulfilling CPE credits rather than real skills development. A cybersecurity professional career is analogous to a physician in that continuing education is critical for each type of profession to keep professionals’ skills and knowledge current and relevant. Therefore, cybersecurity professionals must make a commitment to skills development and training even if this means investing their own time/money or pushing back on employers that minimize continuing education. Given the ever-changing nature of cybersecurity, individuals who invest in their own skills should get a strong ROI throughout their careers.
|
对技能发展和培训做出个人承诺。预计网络安全专业人员平均每年将接受大约40个小时的培训。今年的研究显示,54%的受访者表示在过去一年中接受了40小时以上的培训,24%的受访者接受了大约40个小时的培训,21%的受训时间少于40小时。这一数据似乎是积极的,但ESG和国际社会保障协会还发现,许多小时的 “培训” 实际上被用作获得持续专业教育学分的手段,而不是真正的技能发展。网络安全专业人员的职业与医生类似,因为继续教育对于每种类型的职业都至关重要,以使专业人员的技能和知识保持最新和相关性。因此,网络安全专业人员必须致力于技能发展和培训,即使这意味着要投入自己的时间/金钱或推迟雇用尽量减少继续教育的雇主。鉴于网络安全不断变化的性质,投资于自身技能的个人应该在整个职业生涯中获得可观的投资回报率。
|
Pick a technology or business path to pursue. Cybersecurity careers lead to two main roads. One aligns security and business operations, culminating in “C-level” jobs like CISO, data privacy officer, etc. The other digs into the technology toward positions like security engineer, cloud security architect, threat analyst, etc. Obviously, each road requires different skills, but the ESG/ISSA research shows that many cybersecurity professionals are managing their careers haphazardly with no end goal in mind. Indeed, it’s hard to see five or ten years into the future, but at the very least, cybersecurity professionals should decide whether they see themselves in technical or business roles. Upon making this decision, they should set their sights on the chain of command and what skill sets and experiences they’ll need to climb to the next most senior positions.
|
选择要追求的技术或业务道路。网络安全职业通向两条主要道路。一种是将安全和业务运营联系起来,最终是首席信息官、数据隐私官等 “C级” 职位。另一种则将技术挖掘到安全工程师、云安全架构师、威胁分析师等职位。显然,每条道路都需要不同的技能,但ESG/ISSA的研究表明,许多网络安全专业人员正在随意管理自己的职业生涯,没有最终目标。确实,很难看到未来五到十年,但至少,网络安全专业人员应该决定自己是担任技术角色还是商业角色。在做出这个决定时,他们应该把目光投向指挥链,以及晋升到下一个最高级职位所需的技能和经验。
|
Remember that when considering a new job, relationships matter. The ESG/ISSA research indicates that cybersecurity professionals get job satisfaction from things like competitive compensation, the ability to work with a strong team and leading technologies, and additional perks for travel, training, industry participation, etc. While these are certainly worthwhile incentives, information security pros should remember that there should be plenty of open jobs offering these benefits. Therefore, ESG and ISSA recommend digging deeper by asking questions like: What’s the relationship like between security and IT departments? Do these teams collaborate well or is there friction? Do executives and the board include cybersecurity in strategic planning and decision making? What’s the relationship between the security team and HR, legal teams, and lines of business? Since cybersecurity is truly a collaborative effort, these relationships could determine cybersecurity program success. It’s worth doing some background research, asking questions, and meeting with non-technical managers as part of the interviewing process.
|
请记住,在考虑新工作时,人际关系很重要。ESG/ISSA 的研究表明,网络安全专业人员从以下方面获得工作满意度:有竞争力的薪酬、与强大团队合作和领先技术的能力,以及旅行、培训、行业参与等方面的额外津贴等。尽管这些当然是值得的激励措施,信息安全专业人员应该记住,应该有很多空缺职位可以提供这些好处。因此,ESG和国际社会保障协会建议通过提出以下问题进行更深入的研究:安全部门与IT部门之间的关系如何?这些团队合作得很好还是有摩擦?高管和董事会是否将网络安全纳入战略规划和决策?安全团队与人力资源、法律团队和业务部门之间的关系是什么?由于网络安全确实是一项协作努力,因此这些关系可以决定网络安全计划的成功。作为面试过程的一部分,值得进行一些背景研究、提问并与非技术经理会面。
|
Takeaways for CISOs and Organizations
|
面向首席信息官和组织的要点
|
This research should be used as a guideline for building a strong and happy cybersecurity team. CISOs and their organizations should heed the following advice:
|
这项研究应作为建立强大而快乐的网络安全团队的指导方针。首席信息官及其组织应注意以下建议:
|
For goodness sakes, pay your people! Competitive compensation came up several times in this research project and is clearly critical to hiring and retaining security personnel. Given the competition for security talent, organizations that can’t meet this threshold won’t be successful in hiring and will likely lose key security personnel who are being aggressively pursued by recruiters and other organizations constantly. CISOs must push through archaic personnel models and pay grades and take this issue right to executives and corporate boards in pursuit of near-term changes in compensation structures. Business managers must realize that without an experienced security staff, all security investments and strategies will fail.
|
看在上帝的份上,付钱给你的人民!在这个研究项目中,有竞争力的薪酬多次出现,这对于雇用和留住安全人员显然至关重要。鉴于对安全人才的竞争,无法达到这一门槛的组织将无法成功招聘,并且很可能会失去招聘人员和其他组织不断积极追捕的关键安全人员。首席信息官必须推行陈旧的人事模式和薪酬等级,并将这个问题直接交给高管和公司董事会,以期在短期内改变薪酬结构。业务经理必须认识到,如果没有经验丰富的安全人员,所有安全投资和策略都将失败。
|
Drive security further into the business. Organizations should be alarmed by the fact that 29% of respondents said the security team’s relationship with HR is fair or poor, 28% said the relationship with line of business managers is fair or poor, 27% of respondents said that the relationship with the board of directors is fair or poor, and 24% said the relationship with the legal team is fair or poor. This should set off alarm bells to address these organizational problems as soon as possible. CISOs should immediately assess these relationships at their organizations while corporate boards should do the same. Poor relationships will lead to organizational friction, communications issues, human error, and ultimately, increased cyber-risk. The message is clear: Organizations with a cybersecurity culture are in the best position. Certainly, business executives must embrace cybersecurity, but it’s also important for CISOs to move their people, processes, and technologies closer to the business. This may take training, extended interdepartmental collaboration, and process reengineering, which are difficult but worthwhile changes.
|
将安全性进一步推向业务。29%的受访者表示安全团队与HR的关系公平或不佳,28%的受访者表示与业务线经理的关系公平或差,27%的受访者表示与董事会的关系公平或差,24%的受访者表示与董事会的关系公平或不佳,24%的受访者表示与法律团队的关系是公平的还是差的。这应该敲响警钟,尽快解决这些组织问题。首席信息官应立即评估其组织中的这些关系,而公司董事会也应这样做。不良的关系将导致组织摩擦、沟通问题、人为错误,并最终增加网络风险。信息很明确:具有网络安全文化的组织处于最佳位置。当然,企业高管必须拥抱网络安全,但对于首席信息官来说,让人员、流程和技术更接近业务也很重要。这可能需要培训、扩大部门间协作和流程重新设计,这些都是困难但值得的改变。
|
Find time and resources for more cybersecurity training and skills development. Some CISOs believe that investing in training is a waste of money that serves as a free education for cybersecurity professionals who will ultimately leave the organization for greener pastures. ESG and ISSA believe this belief couldn’t be more misguided. Conscientious employees expecting continuing education will simply invest their own time and money while growing to resent the organization. Others will languish with increasingly limited skill sets. Meanwhile, cyber-risks continually rise. With the current state of the cybersecurity skills market, some employees will certainly find more lucrative opportunities, but investing in security training will improve the efficacy of the cybersecurity staff, bolster morale, and help the organizations mitigate cyber-risk. Benefits like these are well worth the investment.
|
寻找时间和资源进行更多的网络安全培训和技能发展。一些首席信息官认为,投资于培训是浪费金钱,而网络安全专业人员最终将离开组织前往更绿色的牧场,这是一种免费教育。ESG和国际社会保障协会认为,这一信念再被误导不过了。期待继续教育的尽职尽责的员工只会投入自己的时间和金钱,同时成长为对组织感到不满。其他人将因技能组合越来越有限而陷入困境。同时,网络风险持续上升。鉴于网络安全技能市场的现状,一些员工肯定会找到更多有利可图的机会,但是投资安全培训将提高网络安全员工的效率,提高士气,并帮助组织降低网络风险。像这样的好处非常值得投资。
|
Since the cybersecurity skills shortage isn’t going away, develop a long-term plan to address it. As previously mentioned, the cybersecurity skills shortage has created a shortage of qualified cybersecurity professionals as well as a persistent gap in advanced cybersecurity skills. Few organizations have the resources and appeal to hire all the talent they need, and five years of ESG/ISSA data indicate that nothing is going to change anytime soon. Therefore, CISOs need a realistic strategy that assumes staffing and skills risks. For example, organizations struggling to fully staff the security operations center (SOC) should consider investing in process automation and managed services for staff augmentation. The goal here should be covering all security requirements while making the existing staff as efficient and productive as possible.
|
由于网络安全技能短缺并没有消失,因此请制定长期计划来解决这个问题。如前所述,网络安全技能的短缺造成了合格的网络安全专业人员的短缺,以及高级网络安全技能的持续差距。很少有组织有足够的资源和吸引力来雇用他们所需的所有人才,而ESG/ISSA五年的数据表明,任何事情都不会在短期内改变。因此,首席信息官需要一个切合实际的战略,承担人员和技能方面的风险。例如,努力为安全运营中心 (SOC) 配备充分人员的组织应考虑投资于流程自动化和托管服务,以扩充员工。这里的目标应该是涵盖所有安全要求,同时尽可能提高现有工作人员的效率和生产力。
|
Consider what’s necessary to make your organization an attractive landing spot for cybersecurity pros. Proactive CISOs want to retain existing personnel while recruiting new employees. The ESG/ISSA research provides a recipe for doing so. First and foremost, the organization must offer competitive compensation, including benefits for continuing education and career development. Internship programs can appeal to entry-level candidates and create a pipeline for new employees, while mentoring and staff rotation programs will help train and acclimate talented individuals. Organizations that create a cybersecurity culture and push cybersecurity into business and IT planning will have a distinct advantage. Finally, CISOs should tap into professional organizations, local threat sharing groups, colleges and universities, etc., to spread the word about the benefits of employment at their organizations. While this strategy won’t eliminate attrition, it should create a healthy and attractive work environment.
|
考虑一下使您的组织成为网络安全专业人士有吸引力的着陆点的必要条件。积极主动的首席信息官希望在招聘新员工的同时留住现有员工。ESG/国际社会保障协会的研究提供了这样做的秘诀。首先,组织必须提供有竞争力的薪酬,包括继续教育和职业发展的福利。实习计划可以吸引入门级候选人,并为新员工创造渠道,而指导和员工轮换计划将有助于培训和适应有才华的个人。创造网络安全文化并将网络安全推向业务和IT规划的组织将具有明显的优势。最后,首席信息官应利用专业组织、当地威胁共享团体、学院和大学等,宣传其组织就业的好处。尽管这种策略不会消除人员流失,但它应该创造一个健康而有吸引力的工作环境。
|
|
|