编者按: This is the second in a weeklong ISACA Now blog series looking ahead to top priorities in 2022 for practitioners in digital trust fields. 参见之前的帖子 展望2022年的审计从业者.
The availability of security talent — or lack thereof — has emerged as the key limiting factor in information security’s ability to secure the modern business. 每年我都会为自己和团队制定一个学习计划, as I believe truly great security professionals are developed as a result of continuous learning. I align my learning 和 that of my team with key business goals 和 objectives. 以业务为中心, 透明的安全服务组合, organizations should use business objectives to define a set of portfolio objectives to guide how they invest in technology, skills 和 process development across the enterprise’s diverse needs before considering individual projects. Rather than dividing investments evenly across portfolio objectives, CISOs should deliberately channel disproportionate investment toward the enterprise’s key strategic priorities. We must recognize that our talent development should reflect our portfolio roadmap 和 be part of the budgeting for new service development.
Here are the three cybersecurity areas that I am focusing on building in myself 和 my team for 2022:
优先级1:云安全
Organizations’ move to the cloud has accelerated as a result of the p和emic, 由于硬件短缺和远程工作. It is critical that the organization builds out a cloud security center of excellence. According to the Cloud Security Alliance 和 the analyst firm Gartner, 云的错误配置仍然是云的主要威胁之一.
The cloud is complex with AWS 和 Azure having over 200 services. If you haven’t started to build out your cloud knowledge, then you must begin that journey today. It is critical to underst和 how the shared responsibility model has changed governance 和 risk. I have completed my knowledge on cloud basics but if you haven’t, ISACA是一个很好的起点 云基础课程 作为 通过了新兴技术(CET)证书. Each of the cloud service providers also has a cloud fundamentals training course: AWS, GCP 和 Azure. You can easily set up a free tenant in the cloud of your choice to ensure you are getting h和s-on experience.
As part of the development of a cloud security center of excellence, I also recommend building out a training program that clearly outlines the levels of knowledge you should achieve or that you require your team to attain. I always add mentoring to my skills roadmap because I acknowledge that the best way of knowing if I truly underst和 something is if I can explain the concept to others. It also allows me to build out the cloud security knowledge within my organization 和 an environment of continuous learning 和 mentoring which, 反过来, 启用学习管道.
优先级2:数据安全
数据是推动数字化转型的石油, 但如果数据是新的石油, 那我们就有漏洞了. Data is a company’s biggest asset 和 regulators globally are increasingly looking to create data privacy laws to ensure that organizations are taking sufficient care of the data that they gather. 作为一名安全专家, 了解我们如何维护的不仅仅是安全, 但数据的隐私是至关重要的. 我完成了 注册数据隐私解决方案工程师(CDPSE) this year 和 I am continuing to focus on developing my skills in
- 隐私治理
- 隐私的架构
- 数据生命周期
我们越来越多地将数据存储在物联网传感器上, 在边缘, in data lakes in the cloud 和 in data repositories on-premises. I am also working hard to make sure I underst和 not only the fundamentals of the data lifecycle but also the key architecture that is enabling the collection 和 use of data.
优先级3:下一代安全操作
恶意软件以光速传播. The WannaCry attack of 2017 covered 150 countries in 24 hours before security researcher Marcus Hutchins found a kill switch. The Security Incident 和 Event Management (SIEM) is no longer the heart of the SOC. 相反,我们正在向XDR迈进. 扩展的检测和响应, 或XDR, is a new approach to threat detection 和 response enabling automatic isolation of threats. Security Operations Centers need to collect 和 automatically correlate data across multiple security layers – endpoint, 服务器和云工作负载. I want to ensure that I fully underst和 how to modernize 和 optimize SOCs.
我正在努力解决这个问题 谷歌, Amazon 和 Microsoft training around modern SOC operations to get additional information around how the CSPs envision the SOCs of the future. 大多数对威胁的自动响应都是由脚本驱动的. I am focused on building out a script catalog of security responses 和 risk assessments. This means that learning Python 和 PowerShell is at the top of my list 和 there are some great resources on PowerShell 和 Python. 虽然我可能永远不会成为一个编程天才, I want to be able to speak a scripting language well enough so that I can automate what I need to automate. 我可能会让SOC操作人员去ISACA CSX网络安全从业者(CSX- p)认证 或SANS的课程. As a manager, I may focus my knowledge more on the design aspects.
Good security is a combination of people, processes 和 technology. 推动技术发展的是人和流程. A culture of continuous learning allows you to build a security talent pipeline 和 enable the people 和 process part of the equation in cybersecurity delivery. Each professional should have a personal skills development plan 和 we must value 和 reward knowledge in every area of the enterprise. This is the key to building a truly successful 和 resilient, future-proof organization.
