编者按: This is the fourth in a weeklong ISACA Now blog series looking ahead to top priorities in 2022 for practitioners in digital trust fields. 参见之前的文章 展望2022年的审计从业者, 网络安全人员 和 隐私的实践者.
It’s that time of the year again where people are making prognostications about what will happen in the new year. 这样的建议有时有用,有时准确,而且通常很有趣. 同样,职业建议也可能是命中或错过的. 你可能还记得1967年电影中的标志性场景 《澳门赌场官方下载》 starring Dustin Hoffman in which the main character is implored to invest his future into one word: plastics. I hope that my advice below about the risk l和scape feels applicable to the age we are in 和 does not overstate the importance of any one technological development (a sure sign that you are chasing the past versus preparing yourself for the future).
The three cyberrisk priorities for 2022 I’ve outlined below are meant to help professionals level up their cyberrisk practices in the coming year. 进一步, 即使这些技能你已经很熟练了, they can likewise be further sharpened 和 enhanced to ensure that you are staying abreast of the latest in your industry 和 maintaining awareness 和 capability in technologies 和 soft skills. Cyberrisk is an interesting discipline as we are required to straddle two worlds if we intend to do our jobs well. The first world requires that we be conversant (if not fluent) in the technologies in use today. 这对于大多数IT工作来说已经足够了, but cyberrisk also asks that we have the soft skills necessary to be able to provide insight into these technologies for the executives 和 board directors with whom we interface. I hope that the three priorities I list below aid you in developing yourself for the next career challenge you may face.
优先事项1:网络风险量化(CRQ)技能
Gartner最近发布了一份 报告 对董事会成员的调查. One key takeaway was that 88 percent of board directors view cybersecurity as a business risk. 这是一个巨大的成功,我们都应该引以为豪. 很长一段时间, this has been the mantra of cyberrisk professionals: making business leaders underst和 that cybersecurity affects their business. 好消息是他们在倾听. 坏消息是,他们也在倾听. 不幸的是, there are still far too many cyberrisk practitioners who have not adopted CRQ methods to help with this translation of technology to business. This new attention by board directors is going to drive more attention around quantification methods for cyberrisk.
一方面,我们广泛地将网络安全视为一种商业风险. 然而, 另一方面, many still believe that cyberrisk cannot be quantitatively measured 和 that purely qualitative assessments based on practitioner belief 和 experience are enough to satisfy this business risk. These are two trains powering full speed toward each other on the same track. 这两种信念不可能同时存在. 认知失调是深刻的.
其他什么商业风险同样不可估量? 信贷? 金融? 市场? 操作? 战略? 监管? All these risk practices have some perspective on peril 和 loss that at its core translates into frequency 和 magnitude of loss. To truly excel at being a cyberrisk professional in 2022 is to fully embrace that cyberrisk is a board-level concern 和, 更重要的是, that the board will expect this risk to be expressed 和 managed in a similar fashion to its other risks. This means translating the various missing 和 broken controls (of which there are many in cybersecurity) into business scenarios that the organization cares about 和 that can be quantitatively measured.
优先事项2:高管风度(EP)
既然我们已经确定了网络安全是董事会关心的问题, 你准备好在那个层次上演讲了吗? Can you translate statistical representations of risk to non-technical audiences? 你的ppt技能如何? It’s well-known that executives have too much content coming their way 和 that we all need to adapt our communications to accommodate this. 如何将30页的风险报告转化成一张幻灯片? How do you communicate the result of this audit in a way that resonates with the various backgrounds of your audience?
This is what executive presence is about: tailoring your communications to the audience in a way that shows that you underst和 their concerns (listening skills) 和 underst和ing how the words you use influence the people to whom you are communicating. EP还有其他方面超出了本文的讨论范围, 但是开始学习这一关键技能永远不会嫌早.
优先事项#3:学习如何学习的能力
我本可以在这里列出我的第三个优先事项. Docker, Kubernetes, Airflow, Python等. 但12个月后这份名单会有多好? The truth is that the technologies that are in use today will eventually wane in popularity 和 be replaced by something new. It’s our job as those who assess technological risk to be familiar with these technologies but not necessarily experts in them. 如果你从技术职位过渡到风险角色, 然后你就会非常了解某些技术. 伟大的! 但是要知道,你在日常使用之外花费的时间越长, 你就会越不舒服. 那么你有多了解自己呢? 换句话说, are you familiar with the way that you learn best 和 are you able to motivate yourself to do this regularly? 有各种各样的方法来保持对学习的投入. 认证迫使您完成培训和学习活动, 对于一些人(包括我自己), 这是一个很好的激励因素. 如果你喜欢阅读, there are an endless number of books 和 articles that can help you stay up to date. 在一般情况下, 然而, I recommend finding a way to stay engaged with the latest in the industry 和 cultivate a habit of continuous learning.
Here are some of the resources that I would encourage that you explore to help yourself better engage these three priorities in 2022. 首先,对于CRQ,有一个 优秀的ISACA白皮书 可用. 对EP, 这份ISACA白皮书 船上的沟通是一个很好的开始. 有关谅解板的更多信息,请访问 全国澳门赌场官方下载董事协会 拥有丰富的信息. 如果你想磨练你的幻灯片制作技巧,我推荐 极致呈现法. 也有 伟大的著作 可以教你如何改善别人对你的看法. 最后, ISACA网络安全联盟 platform has interactive training courses that can help keep you up to date on security practices 和 the latest technologies.
更上一层楼
Preparing ourselves for the next level of our careers takes time 和 diligent effort. You cannot become a next-level cyberrisk professional (whatever that means for you) by attending a week-long course. 它需要不断努力学习新技术, 提高软技能和商业头脑, 并且要有自律,以有规律的节奏继续这样做. 这并不容易,但我知道你能做到. 2022年见!
作者简介: 杰克·弗伦德博士.D., cisa, cism, crisis, cgeit, cdpse, nacd.DC, 是BitSight的副总裁兼网络风险方法论负责人, 《澳门赌场官方软件》的合著者, 2016年入选网络安全佳能, ISSA杰出研究员, 费尔学会澳门赌场官方软件, IAPP信息隐私研究员, (ISC)2 2020年全球成就奖获得者,以及2018年ISACA的John W. 雷恩哈特四世共同知识体系奖获得者.
