By August 2024, we asked our prospective clients to share information regarding their safety protocols, including their role within the organization’s safety framework, relevant certifications, key concerns, and strategies employed by their companies to address these concerns. We received 1,322 full responses, with 419 individuals – approximately one-third or 32 percent – hailing from the safety workforce. While 903 respondents do not work in the safety industry, a notable 19 percent among this group still hold at least one relevant security-related certification. While this report primarily centers on the contributions of safety workforce members, occasional insights into the practices of other organizations will also be shared.
What are the key hurdles that safety organizations encounter in their quest for a safer world? Organizations are fabricating a multitude of strategies to safeguard their enterprises against the escalating menace of cybercrime. What types of experiences do they possess or hope to acquire?
Be taught sooner. Dig deeper. See farther.
Here’s a summary of our key takeaways:
- Phishing, community intrusion, and ransomware pose the most significant cybersecurity risks.
- Firms have largely implemented multifactor authentication, endpoint security measures, and zero trust architectures to bolster their cybersecurity posture.
- Approximately 50% of all participants are employed by companies that mandate their safety professionals hold multiple safety certifications.
-
Two of the most widely sought-after certifications for cybersecurity professionals are the Certified Information Systems Security Professional (CISSP) and CompTIA’s Security+. These are arguably the most widely held and highly sought-after certifications.
- Cloud security and AI-related vulnerabilities pose the most significant expertise gaps in the industry today?
- Safety professionals continually enhance their expertise by engaging in ongoing coaching, leveraging online resources, reading industry-relevant literature, and staying informed through films and documentaries related to the field.
When conducting a survey, it’s crucial to focus on mitigating biases. Do our prospects accurately reflect the characteristics of the broader safety industry landscape? Our prospects engage with people from a diverse range of companies across various industries. Are respondents to surveys representative of the overall demographic profile of the local community where the safety concerns exist? It’s highly unlikely, mainly because safety concerns are often deeply individualized and intensely personal in nature. Despite this, asking remains the single most effective way to uncover people’s actions.
Who We Talked To
Among those respondents with an immediate concern for safety, 16.2% are managers, 7.2% hold the role of Chief Information Security Officer (CISO), and a mere 1.2% comprise information security program safety managers as defined by the National Institute of Standards and Technology (NIST). Approximately 24.6% of respondents, or one-quarter of the total number, reported a significant focus on safety protocols.
Approximately 28% of respondents identified their role as “safety architect” or “safety engineer”, with 15.3% and 12.6% respectively, highlighting that nearly one quarter of the total are involved in designing safety programs. While it may exaggerate the prominence of safety architects,
Cybersecurity professionals, comprising 10.3%, and safety experts, making up 8.6% of the total, are a distinct subgroup of specialists. These individuals are responsible for executing the “blocking and tackling”: the essential task of safeguarding programs and data. Together, these figures account for a substantial 18.9% of the total.
Analysts, responsible for scrutinizing logs to identify incidents, establishing countermeasures, and rectifying damage in the aftermath of an attack, comprise this distinct set of roles. Around 12.6 percent of the survey’s participants work in roles such as cybersecurity analysts (10.0%), safety operations centre analysts (1.4%), or incident and intrusion analysts (1.2%).
Assessors and auditors constitute a distinct subgroup. According to our findings, a mere 1.4% of participants are primarily focused on ensuring safety as management assessors. In contrast, those tasked with assessing vulnerabilities account for 4.1%, while IT auditors comprise 3.3% of the total respondents. While auditing may share some similarities with accounting, its core competencies diverge significantly from those required in cybersecurity. The Generally Accepted Auditing Standards (GAAS) were established by the American Institute of Certified Public Accountants (AICPA), stipulating that only certified public accountants (CPAs) are qualified to conduct audits. Safety audits may also be mandated by insurance providers, trade partners, and potential customers. While SOC 2 compliance is often described as voluntary, its importance is underscored by the fact that many insurers and traders consider it a non-negotiable requirement for doing business.
Approximately 1.7 percent of the participants identified themselves as penetration testers, while roughly 5.5 percent classified as incident responders. Cybersecurity experts, often referred to as the “crimson workforce,” conduct simulated attacks on their organization’s systems to uncover vulnerabilities, involving techniques such as breaching secure areas, attempting to steal credentials, escalating privileges, and exploiting software flaws. Incident responders, often referred to as the “blue workforce,” actively defend against ongoing attacks, work to mitigate damage following an assault, and collaborate with law enforcement and other relevant organizations to ensure a swift and effective response. While traditionally separate functions, these roles may converge in smaller organizations.
Firms are gradually embracing the Nationwide Institute for Cybersecurity Careers and Research’s Workforce Framework for Cybersecurity, a standardized tool aimed at streamlining job roles and function descriptions across the industry.
Prime Threats
We’ve been eager to uncover which security threats pose the greatest concerns for professionals in the field of safety. What people often dread hearing after receiving a diagnosis in the evening are phrases such as: “The tumor is inoperable,” “You have six months left,” “There’s no cure for this disease,” or “This is going to be a long and grueling treatment.” We asked firms to identify their top three most significant challenges they were facing.
Nothing out of the ordinary occurred here. The responses highlighted the paramount importance of the basic principles. According to survey results, phishing emerged as the top security concern among respondents, with a significant 55.4% citing it as their greatest risk, followed closely by community intrusions (39.9%) and ransomware attacks (35.1%).
Phishing poses a significant threat, and combating it can be an uphill struggle; however, the most effective defense lies in thoroughly educating the entire workforce. A phishing attempt can be surprisingly straightforward: a deceptively innocuous email requesting sensitive information, such as a password, or prompting the victim to access a fake website, with the goal of exploiting unsuspecting individuals’ trust. Phishing schemes were once relatively easy to identify and combat. Detecting good phishing attempts has become increasingly challenging lately. Without the aid of AI, attackers have demonstrated impressive abilities in crafting messages that convincingly impersonate entities such as organizations, governments, support desk staff members, or partners. As soon as an attacker obtains a password, they will likely proceed to use it for malicious purposes. When an account has already been breached, the attackers often find it simple to amplify their privileges or identify additional vulnerabilities. While concepts such as least privilege and null beliefs may offer some assistance, their impact is limited to post-compromise analysis, providing little value in preventing initial vulnerabilities from being exploited. While it’s possible to train employees to be adequately cautious, it’s crucial to educate them on identifying genuine from insidious requests (“I need you to access our network…”) and recognizing those that are legitimate yet still warrant rigorous authentication. While good coaching applications do exist and are crucial elements in the overall process, not every coaching application is effective or successful.
Community intrusion: a multifaceted phenomenon. Phishing scams often lead to invasive breaches of community security? Ransomware exploits vulnerabilities in a community to gain access and wreak havoc. Despite standing alone, the acknowledgement of intruders within your community – encompassing both physical and virtual realms – inherently suggests that you’re grappling with tangible challenges.
Despite widespread attention in recent years, a surprising 65% of respondents failed to list ransomware as their top concern, with only 35% citing it as a priority. While no security measures are foolproof, a ransomware attack could still occur as a result of a successful phishing attempt or network breach. While ransomware attacks have garnered significant attention in recent years, the reality remains that this illicit industry has largely flown under the radar. The entity appears to have focused on its substantial financial resources and vast informational assets. However even can change into victims.
Information and intellectual property theft ranked fourth, with 31.0% of respondents selecting this concern from our survey. As ransomware attacks surge in frequency and sophistication, a worrying trend has emerged: thieves are increasingly combining encryption with data pilferage. The question arises: if you’re already exerting the effort to encrypt someone’s data, why not plunder it as well? Personal data may be resold to various online criminals or exploited for blackmailing purposes, posing a significant threat to individuals’ privacy and security.
The software supply chain compromise, ranking as the sixth most popular threat, poses a significant concern to 28.4% of respondents, highlighting its critical nature in modern cybersecurity landscapes. Considering the recent prevalence of software supply chain issues, it’s surprising that this trend did not escalate further. As a result of a potential supply chain compromise occurred just before our survey launched live. Despite the non-hostile nature of the CrowdStrike incident, the blurred lines between vulnerability to malicious actors and vendor error are strikingly similar. Numerous business software solutions have fallen victim to attacks that, in turn, imperil their end-user clients. The vulnerabilities in open-source software have also been exposed: A previously detected issue could potentially cause harm, serving as a cautionary warning.
Safety professionals rarely worry about being out of a job. Only 16.7% of these individuals chose distributed denial-of-service (DDoS) attacks, likely due to the fact that DDoS assaults often target cloud providers and extremely large e-commerce websites, rendering them unavailable to customers. When a cloud provider falls victim to an attack, any business relying on it can suddenly become a casualty, leaving few options for customers to mitigate the impact without shouldering costly infrastructure duplication. Approximately 10.0% of users are concerned about adware, while roughly 7.6% worry about the illicit utilization of sources, such as cryptocurrency mining, with a further 1.9% fearing involvement in a botnet.
Staying Protected: Prime Initiatives
With the most pressing risks now identified, let us examine how safety organizations are addressing these concerns.
A staggering 88.1% of respondents have implemented multifactor authentication (MFA), a testament to its widespread adoption. While multi-factor authentication (MFA) may be compromised in certain scenarios, it remains an exceptionally effective measure against most types of account breaches, as it’s much more challenging for attackers to steal a mobile device than a password alone. While incidents of assault against text-based messaging are rare, passkeys (30.1%) and passwordless authentication (25.8%) offer significantly more robust alternatives to traditional multifactor authentication methods, as passwords have consistently proven to be the most vulnerable link in an organization’s security posture? A major milestone in the security sector is finally within reach as eliminating the need for passwords becomes a tangible goal.
A total of 60.1% of respondents’ companies have conducted endpoint safety assessments. Endpoint safety refers to protecting personnel’s devices, including laptops and mobile phones, from potential cyber threats and unauthorized access. As employees become increasingly mobile, their laptops, smartphones, and other devices frequently cross the boundaries of their employers’ networks. The lack of mobility raises significant concerns about personal safety. Securing a perpetual presence within the corporate network is a manageable challenge; however, a solution that seamlessly bridges a company network, a home network, an espresso shop, and a conference resort poses a significantly more complex problem. When your teenager invites friends over, the household often experiences a temporary transformation. The once-peaceful space is suddenly filled with laughter, music, and chatter, as the group of teenagers converges in a flurry of excitement. As employees gather at in-person conferences, resorts become a haven for attackers to wreak havoc, capitalizing on the concentration of unsuspecting individuals with limited network security. A single compromised tool can potentially spread malware throughout an organization’s network or cloud infrastructure upon introduction to a facility or VPN, where defenses may be limited at that particular location. When devices leave a company’s network, it’s just as crucial to safeguard them as it is to protect the servers they interact with.
Only 50.8% of the surveyed companies have conducted a zero-belief analysis. In a Zero Belief architecture, every service and individual must independently authenticate whenever they need access to another service. This robust security feature prevents the compromise of one system from spreading to another, thereby shielding against potential threats from careless users who might leave an unattended machine vulnerable and open to attack. Zero trust is especially crucial for cloud functions and APIs that interface with external customers.
While manual efforts are indeed time-consuming, the reliance on automation and AI-powered tools has risen significantly, with 36% of tasks now handled by machines and another 20% facilitated through intelligent applications. Automation and AI surpass manual efforts to analyze system logs using scripts.
So far, our survey participants have finished their responses. They desire to seize control of their lives and make meaningful decisions about their future. We asked for the specific goals that organizations needed to achieve by the end of the next year. While these solutions may not perfectly align with respondents’ organizational priorities, they still provide insight into where individual contributors are focused.
Automation is a topic that’s top of mind for everyone. The top investment priority for next year is AI-enabled safety instruments, accounting for 34.4%, while safety automation ranks third at 28.2%. While Microsoft Copilot for Safety didn’t dominate the high-priority list, its relevance to the overarching theme remains undeniable. Automating tasks associated with safety group operations becomes a pressing priority, particularly for those tasked with ensuring compliance. It is sensible. I’ve yet to encounter a software development team that wasn’t overwhelmed with work. Artificial intelligence won’t eliminate jobs by making software developers more efficient; instead, it will reduce the workload. The identical emphasis on safety goes double. By automating routine fire prevention tasks, safety groups can redirect their attention to strategic initiatives like zero trust and multi-factor authentication, ultimately benefiting everyone involved.
While compliance rates remain steady, there appears to be a plateau – with 36.3% completing tasks in the current year and 22.0% tackling assignments for the upcoming year, placing it fourth on the checklist. Compliance being a perpetual endeavour, it’s hardly surprising that we find ourselves perpetually struggling to keep pace with its ever-evolving demands. While it may not spark widespread enthusiasm, preparing tax returns is a crucial task that demands attention to detail and organizational skills, making it a vital responsibility for accountants. The existing security measures are underperforming, heavily focused on individual components, yet surprisingly ineffective in deterring criminal activity from compromising the system. While compliance is indeed an ongoing reality, it’s unlikely to feature prominently on most companies’ lists of high-priority initiatives.
Multifactor authentication and endpoint security, which currently rank 15.0% and 10.7% respectively, likely trail behind in this assessment due to the widespread adoption of these measures.
What Concerning the Cloud?
Two-factor authentication, at 44.9%, remains the most prevalent method of securing cloud infrastructure for securing cloud infrastructure. Cloud-based service providers’ interfaces are inherently external-facing. Their connection isn’t hindered by your firewall; they operate on hardware outside your personal control and jurisdiction, rendering it impossible to unplug the Ethernet cable from its socket during a suspected attack. Cloud sources require robust security measures, and multi-factor authentication remains the most reliable method currently available to ensure maximum protection.
A staggering 41.5 percent of the survey’s participants cited DevSecOps as a key concern. DevSecOps represents a transformative shift in software development, where security becomes an integral component of the development process from inception, rather than an afterthought added later. While the “shift left” mantra is a cornerstone of DevSecOps, effectively building security into every stage of software development remains crucial for reducing vulnerabilities from inception. Infrastructure as code, a cornerstone of DevSecOps, resonates strongly with the notion of ensuring cloud security, with a staggering 33.9% citing its importance in this context. Many vulnerabilities in manufacturing programs arise from avoidable configuration errors, with identity and access management (IAM) often being the root cause. Infrastructure as Code (IaC) enables standardized infrastructure creation, fostering reliability and minimizing errors by scripting and version-controlling its deployment. When infrastructure provisioning is embedded within a software program, it becomes significantly more resilient to operator errors. In today’s era, the days of typing commands on a console to configure network devices such as switches, routers, and servers are firmly in the rearview mirror.
Proper key management is crucial for modern cryptographic systems, accounting for 38.9% of their overall effectiveness, while also playing a vital role in the implementation of zero-trust architecture, which accounts for 30.1% of its success. Innovative instrumentation plays a pivotal role in the development of effective automation systems, accounting for nearly 27% of their overall success. The importance of observability cannot be overstated in today’s complex systems landscape; it is no longer possible to effectively manage or troubleshoot what remains unseen and unmonitored. While cloud security might be considered a unique niche, our survey reveals that many perceive it as an integral component of overall security, rather than a distinct specialty in its own right. Implement robust authentication mechanisms, embracing zero-trust principles by automating as much of the process as possible. Constructing observability into your organization’s fabric will enable proactive decision-making and real-time issue resolution. Prioritize security as a cornerstone for growth teams, ensuring you remain ahead of the curve.
Safety for Provide Chains
Supply chain security for software programs is one of the latest concerns in cybersecurity. For a long time, we have been accustomed to accepting software programs at face value. While vulnerabilities have existed, they’ve primarily stemmed from bugs in the systems, which have often been exploited by developers themselves. One lingering issue is that updating fixes in place after a vulnerability is exploited remains a persistent shortcoming. In recent years, starting from 2020, software itself has become a means of attack. If an attacker successfully inserts malware into a widely used product, the potential for willing or unwitting downstream victims to perpetuate the malicious code increases significantly. The SolarWinds supply chain attacks have brought the issue into sharp focus, but the reality is that the problem stretches far further back, potentially dating as far back as a compromised Linux kernel in 2003 and conceivably continuing to this day?
One of the most effective measures to mitigate a software supply chain attack is a third-party audit, utilized by 44.2% of respondents. Audits enable you to see exactly what’s going into your construction, thereby providing valuable insights on the safety practices of the organizations that supply you with software. SBOMs (Software Bill of Materials) at 22.2% serve a similar purpose when executed effectively: They meticulously record the necessary libraries and modules required to build and deploy a software system, ensuring that any changes are easily detectable by developers and security personnel alike. A program can potentially rely heavily on numerous libraries, with each library likely comprising other dependencies, creating a vast network that can rapidly expand to hundreds of external software resources. Although an SBOM doesn’t provide insight into the practices of organizations or individuals presenting software, it does offer a precise account of what’s being used – crucial information considering the multitude of dependencies inherent to large-scale software projects.
Validating the software program growth pipeline (37.5%) and ensuring integrity of its constituent parts (32.5%) exhibit a high degree of interconnectedness. Failing to recognize that introducing backdoors and various vulnerabilities into software that’s subsequently disseminated downstream is merely one way to undermine the software development process, overlooking the fact that human error, inadequate testing, and poor coding practices can also significantly compromise its integrity. The various instruments, servers, and repositories each play distinct roles, but they also possess inherent vulnerabilities. What happens when you inadvertently butcher the name of a widely recognized book series? It’s possible that an unknown party has bundled a malicious item with your incorrectly labeled product, which could potentially be installed by consumers. Inadequate management of identification credentials can lead to compromised security, unauthorized access, and devastating consequences for individuals and organizations alike. Attackers may exploit vulnerabilities to inject malicious code into your product, compromising its integrity and jeopardizing your growth trajectory through various means. To safeguard the integrity of your supply chain, it is essential to consider every link in the chain, encompassing each aspect that interacts with software along its journey downstream.
With zero-belief statistics again at 26.3%, this crucial factor ranks second-to-last but remains a significant consideration. When a single weak link exists in a complex system, its vulnerability has an amplified impact on the entire program, causing far-reaching and potentially catastrophic consequences. When a vendor delivers a flawed product, you’re perpetually vulnerable to harm. Even with comprehensive auditing and software bill of materials (SBOMs) in place, there remains a single misstep allowing attackers to compromise a relied-upon library or software, rendering all preventative measures ineffective. Without a shred of confidence, their capacity to cause harm is severely curtailed.
Abilities Shortages
We’ve gained insight into the concerns, priorities, and objectives of safety professionals, shedding light on their anxieties, activities, and aspirations for the upcoming year. Who will ultimately take on the responsibilities and complete the tasks? What specific skills do you possess that you would like to leverage in another field? While corporate downsizing may lead to a temporary influx of safety professionals into the job market, the demand for these specialists remains relatively constant, resulting in a persistent shortage of skilled workers in this field. True goodness is rare to find—the places where we fall short?
Cloud computing emerged as a top concern among 38.9% of survey respondents in the safety domain, highlighting the growing importance of this technology in ensuring data security and compliance. Although cloud security’s fundamental principles are familiar, they take on a fresh significance when applied to this emerging landscape. Ensuring cloud safety necessitates adopting principles such as entry management and least privilege, then applying these concepts to servers and entities that are inaccessible except through APIs provided by cloud vendors for remote management. When dealing with vast quantities of digital cases – thousands, even – effective utilization and creation of tooling become crucial for seamless operations across numerous servers, including serverless architectures, and cloud providers. Any mistake in a service can have far-reaching consequences for your entire infrastructure – which is precisely why infrastructure as code has become indispensable. While the essence of the sport remains constant, the level of competition and stakes escalate significantly. While Amazon Web Services (AWS) has been a market leader for over two decades, the concept of cloud computing still remains elusive or untested at many organizations. Despite the widespread conversation, some companies remained hesitant to migrate their data centers from on-premises locations until forced to do so. Despite numerous drawbacks, several factors, not all of them positive, drive companies to remain “on-premises,” including sunk costs, concerns about cloud security risks, and in certain sectors, regulatory requirements. Without fully grasping the importance of specialized skills, particularly in matters of security, numerous companies made the transition to the cloud with a lack of awareness regarding the expertise required to ensure seamless and secure operations. As a direct result of continuous modification, a critical shortage of cloud security experts has emerged.
As synthetic intelligence evolves, it brings with it a complex array of previously unknown threats that we are only just beginning to comprehend. The AI community had witnessed significant advancements over the past decade, but everything changed with the emergence of GPT-3 in November 2021, sending shockwaves throughout the field? Together with the safety neighborhood, everybody was caught off guard – each by the uncertainties and perils that surrounded them. 33.9 percent of respondents identified a lack of AI expertise as a major obstacle, exacerbating concerns about vulnerabilities in areas such as immediate injection. As concerns about AI safety grow, we’re just starting to grasp the severity of the risks it poses, while overlooking potential mitigants; many AI experts fear that flaws like injection attacks will never have viable workarounds. The neighbourhood’s response to the proliferation of AI is woefully inadequate in addressing its potential risks and consequences. By the next few years, we anticipate a significant upswing in AI-focused analytics, mentoring, and credentialing efforts.
Corporations are seeking additional professionals with expertise in forensic analysis (30.8%) and red teaming (26.0%), indicating a growing demand for cybersecurity skills. While expertise shortages may persist, professionals conducting forensic analysis and red teaming should maintain a strong foundation in the basics while staying abreast of latest advancements. Identifying professionals with current information poses a perpetual challenge.
Expertise in danger administration and threat evaluation, totaling 47.8%, are also succinctly offered. It’s valuable to take a quick look at threats. In today’s treacherous landscape, even the smallest vulnerability poses a significant threat; no security team can rely solely on its capabilities to shield its personnel from every potential attack. While it’s impossible to completely eliminate all risks, strategic planning can help anticipate potential attacks and mitigate their impact by implementing safeguards that minimize harm. When defending against unknown threats, a lack of clarity about what’s at risk can hinder your response, and attempting to provide equal protection to every asset is often unsustainable. On a daily basis, we frequently implement security measures to safeguard our premises by installing distinct locking systems on our main entry points, unlike those found in secure facilities such as banks and other financial institutions that require higher levels of protection. Safety groups must perform the same actions. Threat handlers should prioritize addressing potential attacks over those with a higher likelihood of occurrence, while also focusing on mitigating the most severe consequences, regardless of their probability.
While respondents may not perceive significant talent gaps in areas like networking (16.5%), auditing (16.2%), analysis and evaluation (16.2%), or public key infrastructure (11.7%), Despite Public Key Infrastructure’s reputation for being obscure, it’s challenging to accept that a dearth of expertise exists given its paramount importance in zero-trust identity administration within cloud environments, ranking among the most critical tasks. While community safety has long posed a challenge, its enduring importance means that identifying and leveraging experienced individuals could help mitigate talent shortages by attracting a sufficient number of qualified professionals with a passion for ensuring public safety. Auditing, akin to analysis and evaluation, shares commonalities in its process and purpose. The existing solutions are mature, and a deep understanding of their capabilities already exists.
Certification
Without proper certification, safety becomes a mere illusion, leaving individuals and organizations vulnerable to potential disasters. Without a robust foundation of safety protocols in place, certification would be an empty label devoid of credibility. We’ve come across many safety experts whose names are followed by an impressive array of certifications, reminiscent of the British aristocracy’s penchant for listing their titles. The appendix concludes by listing numerous common certifications, including those discussed in this report.
Despite the ease of making sarcastic comments, these certifications play a crucial role nonetheless. When selecting candidates for safety-focused roles, our primary consideration is their ability to demonstrate a deep understanding of safety principles and best practices. We scrutinize their experience in identifying and mitigating risks, as well as their aptitude for fostering a culture of accountability within teams. You can learn to craft effective résumés and conduct insightful interviews. However, a critical challenge in hiring for safety is that the greatest achievement may be imperceptible. A candidate for a software program growth position can confidently assert, “I designed and developed Fooify,” or boastfully declare, “My code is live in Barthing.” Alternatively, they might proudly showcase their contributions to ThingaBase on GitHub, inviting interviewers to explore the impact of their work. In addition, they will demonstrate their coding prowess by solving complex problems on a whiteboard or completing a more substantial project within a day. “I scrutinize every step of the Bobbify process to ensure a safe and incident-free journey from design to deployment.” For six years, I worked without incident at Firm X; a similar pattern exists in safety budgets. Neglecting assumptions about tasks, like implementing a zero-belief model, the substance of the dialogue goes thusly.
- What were the key achievements in your professional and personal life during the year?
- : “Effectively, nothing dangerous occurred. “We did not suffer any significant breaches, including ransomware attacks, data theft, or major incidents.”
- Isn’t the notion that nothing happened essentially proposing to bring on board two new recruits and a 20% funding boost for 2025?
As evidence mounts, companies are increasingly transcending their limited perspectives on workplace safety; the sheer number of high-profile incidents has rendered it impossible for employers to ignore this critical issue. The CEO’s decree was straightforward: take whatever resources you require, but when I must address the media about safety concerns, you’re all terminated. Once we’ve digested this information, the question becomes whether we’re staring at a half-empty or half-full glass – more realistically, we’re facing a three-quarters empty glass and being asked to feign optimism. Indications suggest a significant shift in the focus on workplace safety over the past few years. When someone inquires about your accomplishments, there are more significant challenges to confront, such as cultivating trust from the outset and implementing robust, multi-factor security measures. As emerging technologies like artificial intelligence (AI) enter the scene, they bring their own unique set of vulnerabilities that require prompt attention and mitigation strategies.
While this documentation may provide insight into past achievements, the fundamental challenge still persists: “Nothing bad happened.” Revealing one’s ability to launch an attack is far more straightforward than demonstrating the capacity to defend against such threats. Few can boast of successfully thwarting a DDoS attack or swiftly identifying and containing a ransomware assault before it took hold. More commonly, cybersecurity professionals might attest to having helped rectify the fallout after a successful breach – but a more probing question remains: What crucial oversight or weakness allowed the attackers to gain a foothold in the first place?
Consequently, safety certifications hold a distinct importance that other forms of certification do not possess. In various fields, certification requirements are well-established, but none more so than in the safety landscape. Employers and safety specialists seek standardised methods to document and acknowledge professionals’ experience. The finding is unsurprising, given the widespread recognition of certifications as a benchmark for professional competence in safety roles: approximately half of respondents indicated that their employers demand some form of certification following hiring for such positions, with 51.3% requiring certification and 48.7% not doing so. Isn’t it astonishing that the threshold for certification remains unchanged? While the results have shown no significant disparity, they have been remarkably similar between respondents who are accountable for safety and those who are not.
Are we bridging the gap between certification and expertise shortages? The Certified Information Systems Security Professional (CISSP) credential, offered by ISC2, stands out as the most widely sought-after certification among professionals focused on security, with a remarkable 31.0% of respondents citing it as their primary certification. The top certification among CompTIA’s offerings is actually A+, reported by 42.1%, followed closely by Network+ with a percentage of 21.6%.
The most popular safety certifications are consistently based on platform usage data, with the Certified Information Systems Security Professional (CISSP) leading the way, followed closely by the Security+ exam. While individual exams may be quite comprehensive, each remains uniquely distinct nonetheless. The Certified Information Systems Security Professional (CISSP) is a comprehensive assessment for seasoned experts, requiring at least five years of relevant experience prior to sitting for the exam. While Safety+ may seem like an added hurdle for junior employees, it’s actually a crucial step in ensuring their safety and well-being on the job.
The subsequent most sought-after exam is ISACA’s CISM (Certified Information Security Manager) certification, at 11.7%. This assessment concentrates on competencies such as threat evaluation, governance, and incident response – areas that consistently emerged in our inquiry into job roles. While 10.7% of respondents’ firms mandate CISA certification, this percentage mirrors the proportion of individuals responsible for auditing or evaluating processes.
According to EC-Council’s data, the CEH (Certified Ethical Hacker) certification lags just behind CISM in popularity, with a market share of approximately 11.5 percent. The CompTIA CEH (Certified Ethical Hacker) exam is a professional credential for penetration testers and red teamers, ranking fourth on the list of most acute workforce shortages. Unlike many other safety specialties, numerous ways exist to demonstrate your moral hacking skills without purchasing a certification. Many security conferences feature “capture the flag” competitions, where attendees attempt to breach a simulated target system; discussed by O’Reilly on our learning platform. Despite these concerns, firms still require the added assurance that a successful certification provides.
Numerous survey participants identified a significant gap in their proficiency with cloud computing technologies. With certifications like CCSP (Licensed Cloud Safety Skilled) and CompTIA Cloud+, accounting for 7.6% and 6.9% of respondents’ firms respectively, it is clear that companies are taking a stern stance on cloud security. Corporations requiring the passage of either one of these two exams necessitates a staggering 14.5% of all instances, placing them just shy of CompTIA Security+ in terms of prevalence. Cloud security is often an afterthought in an organization’s overall risk management strategy. Cloud safety is a vital specialism, where demonstrating proficiency is notoriously challenging.
What about “Different”? Among respondents, 17.4% ranked this certification as falling immediately after obtaining CompTIA Security+. We will have more to share soon, which isn’t particularly astonishing. The vast array of safety certifications includes numerous options, with Paul Jerimy’s comprehensive list tallying a staggering 481 distinct certifications alone. What are our options regarding this top 12? While exploring certifications like CFR (CyberSec First Responder) might seem appealing at a mere 0.5% threshold, it is crucial to consider the potential complexity and depth that comes with such an endeavor.
Certifications Safety Professionals Have
Employers typically expect job applicants to have specific certifications in place. Certifications for safety professionals are diverse, reflecting their specialized training in various industries. Many safety practitioners hold the Certified Safety Professional (CSP) or Certified Industrial Hygienist (CIH) designations.
The stark reality is that a staggering 40.8% of professionals in safety groups lack any form of certification, underscoring the alarming gap between perceived and actual commitment to safety. It’s clear that this suggests a significant spike of 59.2%, indicating that many professionals have acquired at least one certification, which is notably higher compared to other computing fields. However who’re these 40.8%?
Seventy percent of respondents identifying themselves as incident responders reported being less likely to obtain industry-recognized certifications. Unlike many other safety disciplines, certification does not have a long-standing tradition among incident responders. The certifications most relevant to responders are the CyberSec First Responder (CFR), which accounts for only 0.5%, whereas GIAC’s Licensed Incident Handler (GCIH) certification is more widely adopted at 1.4%. In contrast, vulnerability assessors and incident/intrusion analysts, comprising 65% and 60% respectively, tend to be often uncertified, likely due to similar cultural factors. Notably, a significant proportion of Chief Information Security Officers (CISOs) remain unlicensed, with 33.3% falling into this category. So, among those surveyed, 17% were safety management assessors, 26% of whom lacked certification in cybersecurity, while 30% held the role of cybersecurity manager.
According to our survey results, a notable 25.1% of professionals working in the safety field reported holding additional certifications beyond those mentioned, ranking as the second-largest subgroup among respondents with a job in safety. To facilitate a more comprehensive understanding of safety certifications, we initially permitted write-in solutions, which have been dispersed throughout approximately 500 distinct safety certifications, with only a minority demonstrating more than double the frequency, despite deduplication efforts. While the most frequent responses suggested certifications in AWS or Azure, they rarely specified a specific certification. According to our findings, a mere 1.9 percent of professionals in safety roles hold some form of Amazon Web Services (AWS) certification, while only 0.9 percent possess certifications related to Microsoft’s Azure platform. Given the dearth of experience in cloud security, the certifications offered by major cloud providers seem particularly intriguing? One notable instance is Certified Risk and Information Systems Control (CRISC), which certifies expertise in danger and information programs management. While fewer than 1% of respondents hold the certification, it represents a critical field in threat assessment, an area where there is a significant shortage of skilled professionals. While some respondents mentioned ISO 27001, it’s important to note that this standard primarily targets organisations, not individuals, as it outlines the requirements for an Information Security Management System (ISMS) audit. Notwithstanding, ISO 27001 has its own distinct ecosystem of certifications.
Following the introduction of “Different,” we delve into familiar terrain, exploring prominent certifications widely recognized and held by a substantial proportion of participants. Twenty-two percent of respondents holding safety-focused positions have obtained the prestigious Certified Information Systems Security Professional (CISSP) certification, while nineteen point one percent have earned the CompTIA Safety+ credential; nine point one percent hold the esteemed title of Licensed Moral Hacker, and six point seven percent possess the advanced designation of Licensed Info Safety Supervisor. These outcomes closely match the required certifications. It is likely that this will prove to be a self-fulfilling prophecy: as companies begin to hire for Certified Information Systems Security Professionals (CISSPs), it will become increasingly common to find these experts in safety roles. Despite this, it appears that companies are mirroring the safety profession’s moves rather than setting their own direction. Certifications such as CISSP, Safety+, CEH, and CISM have evolved into de facto industry standards, commanding attention and respect in their respective fields.
Certifications Safety Professionals Need
What concerns respondents about certifications they do not currently hold but would like to acquire in the future? As a result, this aligns precisely with the in-demand certifications sought by employers. Approximately 24.1 percent of participants indicated a lack of interest in pursuing additional certifications. 34.8% of respondents expressed a desire to obtain their CISSP certification, while 16.9% aimed to earn their Security+ credential. Here is the rewritten text:
Cloud+, followed closely by CISM, saw significant growth at 16%, trailed by CCSP, which increased by 13.4%. The obvious allure of two fundamental certifications lies in their significance: the Certified Information Systems Security Professional (CISSP) serves as a benchmark for security experts, while the CompTIA Security+ credential provides a valuable foundation for those just starting their career in this field. Given the notion of an expertise scarcity, the two cloud certifications may hold even greater significance. While it’s worth highlighting that AWS, the most widely utilized cloud provider, frequently appeared in written responses, there was a notable absence of specific certification discussions. Despite periodic AWS certification name changes, some 2.3% of respondents mentioned obtaining an AWS certification. Azure’s performance fell short, registering below a mere 0.5% efficiency.
Certifications such as Licensed Information System Auditor (CISA, 12.9%), Licensed Moral Hacker (CEH, 12.9%), and Cybersecurity Analyst (CySA+, 12.4%) account for over 10% of the certifications required by respondents in safety roles. The alignment between certification types from various perspectives proves strikingly harmonious.
Persevering with Schooling
As we expected, the focus on certification was closely tied to the need for ongoing professional development. While technical discipline requires training, there’s perhaps nowhere where training is more crucial than in matters of safety. The sudden emergence of artificial intelligence caught everyone off guard, prompting far-reaching implications across the security landscape. Cell phone adoption has become increasingly widespread, with far-reaching implications for public safety. So do work-from-home insurance policies. Recent attacks and vulnerabilities in the realm of workplace safety have left experts seeking clarification on various fronts. Safety is an ever-evolving discipline where the foundation constantly adjusts from one moment to the next. While language updates do occur periodically, significant changes to programming languages are a rare occurrence? As software development rapidly evolves, numerous programming groups are currently transitioning from Java 8 to Java 21, while the popularity of Python persists, with version 12 being the latest release. There are valid reasons why improvements might not occur readily: Why would anyone bother to enhance something that already seems stable? Most language developers are hesitant to deviate from established standards, often sacrificing potential innovation and growth by prioritizing backward compatibility. While safety may not always follow a predictable pattern, it’s still crucial to acknowledge the ongoing struggle between those who prioritize defense and those who seek to cause harm. Attackers will stop at nothing to make life difficult, relentlessly exploiting even the latest security weaknesses to gain an advantage. If you fail to stay current, you risk becoming a casualty.
Not surprisingly, just 19.3% of those surveyed indicated that their employers do not demand ongoing professional development. According to the survey, a significant proportion of professionals in safety roles receive extensive training from their employers. Specifically, 32.2% reported that they are required to complete 41 or more hours of continuous training each year, while 24.1% stated that their firms demand 21-40 hours of such training annually. Only approximately 5.7 percent of participants are expected to dedicate five hours or fewer to this task.
Approximately 89% of participants in safety groups leverage online programs for maximum effectiveness, while roughly 77% rely on books and 75% on movies, with no significant disparities apparent across these mediums. Around 51.1 percent of respondents attend conferences, including online events, while nearly half rely on blogs and newsletters for information.
While in-person programs account for just 29.1% of overall demand, their share is significantly eclipsed by alternative training sources. Many reasons exist for this phenomenon. It’s often more convenient for both employers and employees to participate in online courses or videos. While overall health remains crucial, it’s vital to acknowledge that the COVID-19 pandemic is far from over; indeed, health experts continue to monitor the situation closely, as evidenced by safety professionals’ ongoing vigilance on social media platforms. Safety professionals strive to minimize risks by eliminating or mitigating potential hazards without introducing new threats unnecessarily.
Clearly, safety professionals rely on online coaching programs, books, and movies as primary sources of training.
While many of our respondents’ employers offer primary safety training to all staff members (64.4%), a notable 20.3% provide comprehensive training for their entire workforce. Only 9.3% of respondents indicated that their companies provide no safety training, while a further 6.0% stated that training is limited to employees in key roles?
When asked about crucial steps to enhance an organization’s safety posture, respondents overwhelmingly cited increased safety awareness training as a vital component (40.1%). Approximately 22.4% of respondents advocated for additional personnel to bolster their safety workforce, while 20.3% emphasized the importance of comprehensive threat management, and 17.2% prioritized enhanced safety equipment.
While instruments are crucial, they ultimately fall short of achieving their purpose – even with the advent of artificial intelligence. Given the potential for AI-generated responses to be inaccurate, implementing a higher threat evaluation protocol could be a prudent approach. While additional staff could provide a welcome boost, isn’t it true that everyone would benefit from a lighter workload? The reality of skill gaps is undeniable, as businesses seek out talent that matches their specific needs. While working with your current team is crucial for success in the long term, it’s essential to focus on the people who are available to collaborate with, rather than dwelling on those who are no longer part of the equation. The most crucial assertion lies in the imperative of fostering a culture of safety awareness across all levels, underscoring the vital role safety consciousness coaching plays in ensuring everyone’s well-being? Notably, a significant proportion (40%) of participants cited presenting higher-level safety training as a crucial measure an organisation can take to promote worker well-being and mitigate risks. The pursuit of excellence demands constant striving to reach new heights, where “higher” is a beacon guiding our endeavors towards uncharted territories. Sixty percent of respondents chose an alternative response, suggesting that most believed their initial safety training was satisfactory, which is reassuring and a positive sign. However is that adequate? When coaching is truly effective, it’s unlikely that 40% of respondents would seek even better coaching, as they’re already satisfied with what they’ve received.
It’s About Coaching
In recent years, safety has undergone a significant shift, no longer being viewed as an inherent right but rather a privilege that requires constant vigilance and effort to maintain. Respondents, regardless of their profession, are acutely aware of the threats and potential dangers surrounding them. Individuals often perceive a higher value in obtaining certification, even when it’s not mandatory. They are acutely aware of the need for coaching. Individuals are actively pursuing additional certifications and receiving coaching to acquire the skills and knowledge they desire to attain their goals. While certifications like the CISSP do offer a comprehensive and all-encompassing understanding of their respective domains, they can also be quite complex and challenging to obtain. However, there are areas where expertise is in short supply, particularly in the cloud? When reliable sources of AI training data become available, we’ll likely witness a surge in demand for AI safety coaching. Individuals seeking top-tier coaching demand precise and actionable insights, not mere exam preparation capabilities or superficial answers, but tangible outcomes and concrete data that yields meaningful results.
While many of our respondents believe that safety is a collective responsibility. To render phishing the norm rather than the exception, we must significantly bolster cybersecurity infrastructure, foster a culture of vigilance, and incentivize collaboration. To render ransomware an infrequent occurrence? Firms typically invest in training their employees on core principles, but a strong partnership between the company and individual is essential. To deliver exceptional coaching, we focus on fostering a culture of safety awareness, empowering employees to prioritize and recognize threats ranging from sophisticated phishing tactics to robust password management and securing physical workspaces with equal emphasis.
Safety is an ongoing issue that will never disappear. It’s likely that we’ll continually create new risks as soon as we’ve eliminated the old ones. Despite our abilities, we may still struggle to assemble the issue effectively.
Appendix: The Certification Alphabet Soup
Safety certifications are often simply referenced by their acronyms, such as OSHA or HAZWOPER. Despite the complexity of the names, the situation with acronyms isn’t much simpler?
This report includes an inventory of acronyms, full names, and certifying organizations for the certifications discussed, accompanied by several of the more common certifications that emerged from write-in responses.
Credit for a radical assessment, dialogue, and uncredited quotes goes to Dean Buschmann. Errors are mine.
