It has been 5 years since the Cyber Security Law was officially implemented.
These five years have been the five years in which the legalization and systematization of cybersecurity have become more and more perfect, and they have also been the golden years for the development of my country's cybersecurity industry.
According to data from CCID Consulting, in 2016, my country's network security market size was 33.62 billion yuan; and in 2021, the market size will reach more than 90 billion yuan.
However, behind the rapid growth of nearly three times in the past five years, there is an imbalance between the supply and demand of talents in the network security industry. Today, the cumulative gap of domestic network security professionals exceeds 1.4 million, and the chief security officer (CSO) is the most important factor in the entire network security industry. extremely scarce talents.
A cyber attack is not far away
Cyberattacks seem like a distant word to most people. But in fact, in recent years, cyber attacks on people's livelihood have occurred from time to time, especially critical infrastructure has become the primary target of attack.
On April 28, Beijing Healthbao suffered an "overseas cyber attack" during the peak period of use.
Afterwards, according to 360 Network Security Research Institute, this is a typical network denial-of-service attack (DDoS attack) incident. The attacker uses a large number of intruded network devices, such as personal computers, servers, etc., to send massive amounts of traffic to the target server. network traffic, affecting its normal service.
Beijing Oriental Prism Technology Co., Ltd. provides network security services for Beijing Healthbao. The company's security team responded in a timely and effective manner, and Beijing Healthbao related services were not affected during the attack.
He Hua, chairman of Beijing Oriental Prism Technology Co., Ltd., a member of the Big Data (Network Security) Committee of the All-China Federation of Industry and Commerce, has been involved in the network security industry for nearly 30 years.
He Hua recalled to the "Rule of Law Weekend" reporter that when he entered the cyber security industry in 1992, there was no separate cyber security industry in China, and there were only antivirus software on the market, including kill software from the Ministry of Public Security and kv series software from Jiangmin. wait.
At that time, the entire information software industry had just started. Software was still in the DOS era, and hard drives and memory were still calculated by megabytes. Everyone could create innovations and change the times independently. Experts wrote programs in assembly language, and software reverse cracking was very easy There is a market. He Hua started his career by reverse cracking software and writing anti-virus software. Due to the requirements of laws and regulations related to network security, the current software cracking behavior has become a sensitive content.
In 1997, He Hua discovered a bug in Microsoft Foxpro software and reported it to Microsoft. He started his own business that year. After that, he served as the person in charge of R&D and an expert on the expert team at Venustech until 2014, and then founded the current Prism Technology Company.
In 1999, the U.S. bombed the Chinese embassy in Yugoslavia, and national sentiment surged, prompting the Sino-U.S. Honker Internet war. He Hua was also one of the main participants. After 2000, my country also began to pay attention to the network security industry. In September 2004, the Ministry of Public Security, the State Secrecy Bureau, the State Encryption Management Committee Office, and the State Council Informatization Work Office jointly issued Gongtongzi [2004] No. "Implementation Opinions on Information Security Classified Protection Work", the release of this regulatory document marks the official promotion and implementation of hierarchical protection work in our country.
The times are rolling forward, and the development of the Internet 30 years later is beyond what could have been imagined 30 years ago.
"Nowadays, the world's major powers are using the Internet as a new means of seeking strategic advantages, continuously strengthening top-level design, capacity building, and security review internally, and grabbing cyberspace control, rule-making power, and discourse power externally." China Cyberspace Security Association Pan Pengdan, executive deputy leader of the talent training expert group and senior vice president of Guoke Huadun (Beijing) Technology Co., Ltd., told the reporter of "Rule of Law Weekend".
With the continuous improvement of the goal of building a strong country in cyber security at the national strategic level, the improvement of cyber security capabilities has become a key task during my country's "14th Five-Year Plan" period. The improvement of cyber security capabilities will be an important capability support for my country's rapid transformation of the digital economy.
"The state has successively promulgated laws, regulations and normative documents such as the Network Security Law, Data Security Law, Personal Information Protection Law, and Network Security Review Measures, which put forward higher requirements for the construction of information security capabilities of enterprises, and further consolidated the requirements of enterprises. responsibility for network security,” said Pan Pengdan.
Offensive and defensive confrontation between people
"The essence of the network security industry is the offensive and defensive confrontation between people." Liang Hong, chairman of Henan Jindun Xinan Testing and Evaluation Center Co., Ltd., executive vice president of the Network and Information Law Research Association of Henan Law Society and director of the academic committee, told " The reporter of "Rule of Law Weekend" said that with the rapid development of information technology, the competition in the cyber security space at the national and enterprise levels has intensified. In the final analysis, it is the competition of talents. Talent team building is the core of establishing a sound compliance management mechanism for the entire cyber security industry.
Today's computer network security technology includes not only the suppression of computer hardware equipment and prevention of electromagnetic leakage (ie TEMPEST technology), anti-theft, anti-natural disasters and other technologies, but also includes access control and information security strategy design such as data encryption, smart card and firewall technology.
Liang Hong said that this means that to become a network security technical expert, one must not only understand computer hardware equipment, but also understand the loopholes in various software programs and filter potential security risks.
In other words, network security positions are not traditionally qualified as long as they have a little knowledge of computer operations, and network security talents are very scarce.
He Hua told the "Rule of Law Weekend" reporter that the skill of network security practitioners can be compared to martial arts masters. Some have knives, some make knives, and some do not use any ready-made weapons.
In a famous confrontation in 2000, domestic network security professionals spontaneously formed a virtual team through the Internet. He Hua was one of the members of the virtual team and belonged to the role of providing network weapons (knife maker). The virtual team conquers the opponent's country's website, hangs the national flag, swears sovereignty, and vents its anger on the opponent. In order to make it easier for his partners to attack the city more quickly, He Hua successively developed a privilege escalation tool that exploits vulnerabilities in the Solaris system, a tool that exploits vulnerabilities in the WIN2000 system, and cracks management tools for DEC minicomputers. By using these tools, comrades in arms can Successfully hang the national flag on the other party's website, and swear by our network attack results.
He Hua believes that the cyber security industry is dominated by young people, and it is easy to develop reverse thinking when young. Many aspects of cyber security work need to be considered from the perspective of offense and defense and confrontation.
This is consistent with the statistical data of the "Report on the Development of Talents in the Network Security Industry" released in recent years. Statistics show that over the past two years, more than 80% of network security practitioners have concentrated in young and middle-aged people between the ages of 25 and 40, and more than half of them are under the age of 35. The highest proportion is between the ages of 30 and 35, about 35%.
In terms of working years, the number of people who have worked for 5 to 10 years is the largest, accounting for 34.58%, followed by those who have worked for 10 to 15 years and less than 5 years, respectively 27.16% and 18.5%, reflecting the network security. The phenomenon of young people working in the field.
"This shows that the network security field is highly attractive to young talents, but the lack of senior talent reserves and the difficulty in cultivating and retaining newcomers will become common challenges faced by enterprises." Pan Pengdan said.
In He Hua's view, many young people don't like to be code farmers, but like to take jobs in security, because there are challenges, the work is novel, the way is one foot high, the magic height is one foot high, the network security situation is changing with each passing day, and the work of attack and defense and infiltration is a daily challenge. There are new things, and you can fight against strangers who are invisible to the other end of the network. After 4 to 5 years of experience, you can generally fight independently.
"The charm of the network security industry lies in fighting against invisible opponents. You come and go, just like leading soldiers to fight." He Hua understands that this is the core job of practitioners in the network security industry.
In terms of network security attack, defense and penetration, a Ph.D. is not necessarily a master, and junior/high school students are not necessarily bad. Some junior/high school students are far superior to undergraduates, masters, and Ph. "Talent, savvy, reverse thinking, accumulation of experience, opportunities are everywhere." He Hua said.
He Hua said that the network security industry is relatively sensitive, and it can be a magic trick. Some people are in the national team to escort the network security of various industry units in the country, some people have entered listed companies and become regular troops, some have worked hard in start-up companies, but there are also a large number of practitioners in the black and gray industry chain. The black and gray industry practitioners need to focus on rectification by the competent authorities of the current network security industry.
The supply of cyber security talents is "lean and yellow"
As the country continues to increase its emphasis on network security from the legislative level and policy guidance level, my country's network security industry is ushering in rapid development. According to statistics from the China Cyber Security Industry Alliance (CCIA), in the first half of 2021, a total of 4,525 companies in my country carried out cyber security business, an increase of 27% compared to the previous year.
It is worth noting that although the scale of my country's network security market has achieved a rapid growth of more than 20% in 2021, the supply of network security talents has not maintained synchronous growth. According to official data, in 2021, there will be a gap of 1.4 million cyber security talents, and it is expected that the gap will further expand to 3 million in 2027.
Pan Pengdan pointed out that network security talents are very scarce, and the number of college graduates with network security-related majors is only more than 20,000 every year. This shows that the supply of network security talents in China is "short and yellow", and the growth and training speed of talents is significant. lag behind the overall pace of technological and social change.
"The serious imbalance between the supply and demand of network security talents is not only reflected in the quantity, but also in the dislocation between the supply and demand of different types of talents." Pan Pengdan said.
Due to the characteristics of industry development at this stage, the talent team presents a structure that is too large at the bottom and too small at the top, that is, there are relatively many personnel engaged in operation and maintenance, technical support, risk assessment and testing, and relatively few personnel engaged in strategic planning and architecture design , especially the lack of high-end comprehensive talents who understand both business and policy, as well as technology and management.
At present, most enterprises only set up 1 or 2 people to be responsible for the company's network security work, and most of them are IT technicians and related network security work. Although these personnel have a certain technical foundation, they lack the knowledge of network security and data security. Professional and systematic knowledge and skill reserves. The phenomenon of "emphasizing products, despising services, emphasizing technology, and despising management" is still very common, leading to a deepening contradiction between the supply and demand of talents.
Pan Pengdan believes that the person in charge of cyber security has always been a key promoter of digital business. He must always integrate corporate security with corporate business, clearly help the company or senior management achieve strategic goals or protect their interests, ensure that they help the business, and formulate Based on business, quantifiable, and measurable work objectives, rather than solely relying on relevant software or equipment to carry out risk response and management of the network security of the unit.
Liang Hong also pointed out that for the management of network security, most enterprises are passive emergency and management, lacking the top-level design and long-term planning of the overall network security and data security of the unit, which leads to the frequent attacks of external networks on the unit, causing the company Leakage of customer information and failure of equipment to operate normally occur from time to time, causing major impacts and losses on the normal production and operation of the enterprise.
Without a talent echelon reserve, everything is empty talk
As enterprises upgrade their strategic positioning on network security, there is an urgent need for compound network security talents with strategic thinking, sophisticated network security technology, and rich practical experience. For example, the chief security officer is a network security professional cultivated for enterprises. Compound talents.
Internationally, in 1995, a hacker broke into Citibank's computer systems and stole more than $10 million in funds. Subsequently, information security expert Steve Katz (Steve Katz) joined Citibank and was appointed as the chief information security officer, recognized as the world's first chief information security officer. In 1999, the United States passed the "Gramm-Leach-Bliley Act", the Financial Modernization Act, requiring the board of directors of financial companies to appoint a chief information security officer, and to have the chief information security officer report the security situation to the board of directors every year. This bill once again promoted the establishment and popularization of the chief information security officer.
According to the survey, the number of global organizations with a chief security officer increased by 6% between 2018 and 2019. Gartner data predicts that by 2025, 40% of companies will have a dedicated cybersecurity committee overseen by board members. And according to a 2020 Forrester research report, 13 percent of chief security officers are already considered C-suite executives, up from 5 or 6 percent just a few years ago.
my country's chief security officer system was first implemented in Shanghai in 2015, and it was proposed to hire a person with rich experience in network security management as the chief security officer.
Pan Pengdan believes that the future society's demand for network security practitioners is no longer to play the role of "firefighters", but more to hope that employees will develop into the role of network security experts (such as chief security officers). The transformation from "firefighter" to chief security officer is a step-by-step ability advancement.
However, an embarrassing fact is that the shortage of supply makes it difficult to find talents. According to the reporter of "Rule of Law Weekend", a game company once hired a chief security officer with an annual salary of 3 million yuan, but failed to recruit it.
"Without a talent echelon reserve, everything is empty talk." He Hua told the "Rule of Law Weekend" reporter that the network security industry will face the expansion of application fields and the explosion of scenario-based applications in the future, and the talent reserve will be even more stretched.
He Hua pointed out that our entire network security industry generally lacks understanding of customer business. This is a common problem, and it is also something that the network industry will have to solve sooner or later. Of course, it is also related to our talent pool and training orientation.
With the deepening of digital transformation, the chief security officer is currently facing a critical moment: if the digital transformation can be supported, the chief security officer will truly become an important promoter of the enterprise's development strategy. The "Ernst & Young CEO Research Report 2021" shows that 68% of CEOs are planning to make major investments in data and technology in the next 12 months, which will also stimulate rapid growth in demand for high-end positions such as chief security officers.
Correspondingly, in recent years, with the vigorous advancement of the construction of a national network security power, local governments and enterprises in various industries have also begun to attach importance to the cultivation of network security talents, and the careers of chief security officer and chief data officer have developed rapidly. At present, Shanghai, Zhejiang, Jiangsu and other places have successively carried out activities such as chief security officer training and chief security officer summit forums.
At the end of 2021, the China Cyberspace Security Association held the first national senior training course for chief security officers in Beijing, inviting well-known experts in the industry as lecturers. The CTO, COO, etc. of the security company have obvious effects and have a certain influence in the industry.
Pan Pengdan believes that the chief security officer is definitely not the professional "ceiling" of network security practitioners, and the potential for future development of network security personnel is unlimited.
at last
Statistics show that there is currently a gap of 1.4 million cyber security talents in China...
Whether you are a cyber security enthusiast or a practitioner with certain work experience,
whether you are a fresh graduate or a professional who wants to change jobs ,
you all need this job. super super comprehensive information
almostBeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
1. A full set of toolkits and source codes necessary for network security
2. Video Tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points in participating in the network protection operation, CTF and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.
4. NISP, CISP and other certificate preparation packages
5. Information security engineer exam preparation spree
6. Interview questions for network security companies
The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing