The report on the current situation of China's information security practitioners (2017) was officially released

February 5, 2018 16:12 source: China Information Security Assessment Center

Network security has become a major strategic issue related to economic and social development, the long-term stability of the country and the well-being of the people. The establishment of a large-scale, optimized structure and excellent quality network security talent team has become the core demand for maintaining national network security and building a network power.

On February 5, China Information Security Assessment Center officially released the report on the current situation of China's information security practitioners (2017). This research activity is sponsored by China Information Security Evaluation Center, organized by information security industry branch of China Information Industry Chamber of Commerce, and co organized by China information security, freebuf, e-security online, security bull, iquanqiu and e-security. The purpose of the report is to investigate the basic composition and distribution of information security practitioners in China, talent supply and demand and structure, ability improvement direction and way, career development path and career satisfaction, focusing on analyzing the overall situation of practitioners and comparing with the situation abroad, so as to provide decision-making reference for the construction of national information security talent team.

The "2017 survey on the current situation of China's information security practitioners" was carried out by online questionnaire survey. A total of 1957 valid samples were collected, covering all provinces, autonomous regions and municipalities directly under the central government. The information security practitioners under investigation come from different industries and units, and undertake various responsibilities and roles of information security work.

According to the report, the current situation of information security practitioners in China mainly includes the following aspects:

1. The basic composition is relatively single, and the regional distribution is most concentrated in the first tier cities. Chinese information security practitioners are mainly male, most of them have bachelor degree and computer education background, which is basically consistent with the composition of global information security practitioners. Compared with developed countries, China's information security practitioners are relatively young in age composition and relatively short in working years as a whole. In terms of regional distribution, the four first tier cities of Beijing, Shanghai, Guangzhou and Shenzhen are the most concentrated. In addition, in the Yangtze River Delta region, which has the most economic vitality and the scale development of electronic information industry, and in the southwest region, where security enterprises and information security schools are concentrated.

2. The supply and demand of information security practitioners are seriously unbalanced, with structural problems. With the rapid growth of talent demand, it is difficult to fill the talent gap, and the serious imbalance between supply and demand has pushed up the overall salary level. The average salary level of information security practitioners in China is 12.2-178000 yuan, which is higher than the average annual salary of national professional and technical personnel and information technology practitioners. The number of personnel engaged in operation and maintenance, technical support, management, risk assessment and testing is relatively large, while the number of personnel engaged in strategic planning, architecture design and information security law is relatively small. The shortage of talents in strategic planning and architecture design is the most prominent, especially the "generals" with comprehensive ability and overall grasp ability.

3. It is difficult to meet the training needs due to high self expectations and requirements. The information security practitioners in our country choose to engage in information security career mainly driven by their own intrinsic value, and have high requirements for continuously updating their knowledge and ability. In the process of employment, they mainly improve their ability through online learning and vocational training. Information security practitioners want to improve their professional skills in various aspects, among which the most desired professional skills are network attack and defense, security management, security architecture, and security audit. However, only 22.8% of employees can receive regular and planned target training in their affiliated units.

4. The overall development is insufficient, and the differences among regions, industries and posts are obvious. At present, China's network security investment is obviously insufficient, the security responsibility is not in place, and the demand of network security talent market has not been effectively released. With the growth of business demand and legal enforcement demand, the number and quality of information security practitioners is expected to continue to grow rapidly. Employees' salaries are distributed in a "first tier city, East China, South China and other regions". The salaries of employees in the financial industry and management positions are high and rising rapidly. However, about half of the employees in the system have not changed or even declined in the past year. As an important safety builder, the salary base and growth of safety operation and maintenance personnel are both low.

5. The career development path is not clear, and there is no standard for personnel classification and evaluation. 25.9% of the information security practitioners have no clear ownership in the sequence of technical titles, and the standards and levels set in the enterprise's personnel management system are different. There are many subdivisions in the field of information security, and the technology is rapidly updated. At present, there is not a career development roadmap that can cover the full spectrum of career categories, complete career life cycle, and is generally recognized by the industry. It is difficult to realize the reciprocity of responsibility, right and interest of personnel, which is not conducive to the overall planning and guidance of the country for the construction of information security talent team, nor conducive to the career development of employees.

6. The pressure feeling is generally large, but the overall career satisfaction is still good. Information security practitioners generally feel great pressure, and only 1.7% of them think that work is easy. People in government institutions, financial industry and management positions feel more pressure. Due to the long-term shortage of personnel, the existing employees need to bear the task magnitude that does not match their own scale and ability. In addition, the security posts have to bear greater responsibilities, which makes the information security practitioners generally feel great pressure. However, the proportion of employees with high occupational satisfaction is still significantly higher than that of people with low occupational satisfaction, indicating that employees are optimistic about the overall development of information security career and hold a positive attitude.

7. Qualification can effectively promote career development, but the holding situation is not optimistic. Different information security subdivisions and different levels of qualification identification are helpful for information security practitioners to plan and achieve their career goals, and also provide objective and fair judgment basis for personnel assessment and evaluation. The holders of relevant qualification certificates think that the process of vocational training and qualification recognition has a greater role in promoting the ability and career development. Among the people holding information security qualification certificates in China, the highest proportion is registered information security professionals (CISP). But on the whole, the proportion of information security practitioners holding authoritative qualification certificates is not high, only a few or some of them hold relevant certificates.

Wei Hua, director of the qualification evaluation office of China Information Security Evaluation Center, said, "to implement the network security talent project, we need to grasp the particularity of the network security field and the network security talent with a scientific attitude, and find out the difficulties in the current construction of the security talent team. From the research results, the construction of information security talent team is also faced with serious imbalance between supply and demand, insufficient education and training, and limited means of talent evaluation. At present, it is urgent to further strengthen the education and training of employees and reserve personnel. At the same time, it is necessary to study and formulate the evaluation standards of employees, and do a good job in the selection, education, use and retention of talents. The network security talents business has ushered in the best development opportunity. As the national authority department that undertakes the qualification evaluation function of information security personnel, our center has trained tens of thousands of key information security talents for the party, government and army, important industries and key information infrastructure operation units through the registered information security professional (CISP) training system in the past 15 years. In the critical historical period of the development of network security talents, we will take on the mission of the times and continue to devote ourselves to the practice and exploration of network security talents training. "

Cui Guangyao, vice president and editor in chief of China information security, said, "in his speech on April 19, General Secretary Xi stressed that the competition in cyberspace is ultimately the competition for talents. As the saying goes, a thousand soldiers are easy to get, but a general is hard to get. The reality before us is that one general is hard to find, and a thousand armies hate less. In the face of the overall situation of "Kyushu is angry and depends on wind and thunder" in China's e-mail industry, the contradiction of insufficient talents in cyberspace, especially in cybersecurity, is increasingly prominent. In the past two years, the state has taken a series of major measures in personnel training and achieved good results, which is a good sign. However, the situation of talent shortage cannot be fundamentally improved in a short period of time, which requires perseverance and great efforts. China Information Security Assessment Center issued a white paper on information security talents in China, aiming to find out the talents' background, and then to promote the talents training to open a new situation and step to a new level. "I advise the heavenly father to be vigorous and to bring down talents regardless of one style.". Take this opportunity to publish the white paper and call for it. This "heavenly Father" is not only the field of network security, but also the common responsibility of the field of network information and the whole society. "

The survey has received a warm response from the vast number of information security practitioners, and has become a channel for front-line practitioners to reflect their current situation, express their views, and provide advice and suggestions for the security cause.

In the research activity, an information security practitioner said, "with the rapid development of information technology, the prevention and processing of information security has become more and more important. In many units of our country, the attention to information security is not high, lack of corresponding information technology knowledge, lack of scientific management of unit information network, often fail to deal with problems in time, resulting in economic losses. We should strengthen the training of information technology practitioners, formulate corresponding systems for management, and put information security management into practice. The state should encourage the learning of information security technology, provide a larger platform to meet the knowledge needs of information technology practitioners, ensure that practitioners can better achieve personal development and improve the quality of information security services. "

As for this survey, interviewees think it's very timely and necessary to conduct such an investigation. "At present, the level and structure of employees are relatively complex. Many of them don't have enough professional knowledge before they engage in information security work, resulting in uneven level and ability of industry personnel, misunderstanding of low employment threshold, and improving the voice and position of personnel in the enterprise Not very beneficial. I hope that through this research activity, I can grasp the work and learning status of employees, find out the training and learning needs, and help improve the overall level of the industry. " Some interviewees expressed their hope that "the activity can become a long-term measure to continue, so as to build an ecological chart of domestic information security industry personnel, and become the ability vane of domestic information security practitioners".

As for the ability improvement, career development and other issues concerned by the information security practitioners, the interviewees actively fed back their experience and experience, "I am a CISP holder. By learning the relevant contents of CISP certification system, I have a comprehensive understanding of information security legal system, management methods and security technology, which improves my professional quality of information security, has a clearer grasp of the whole information security system, has some opinions on the planning and architecture of information security, and plays a greater role in promoting the work. In the work, the evaluation of professional titles or competitive posts, with this certificate, you can also add points for yourself. " "Through the training and learning of CISP, the professional knowledge required by my work has been systematically sorted out and the foundation has been consolidated. The whole technology of information security has developed rapidly. On the premise of solid foundation, it is necessary to integrate new technologies to better adapt to the current development. I am engaged in the third-party evaluation work. I feel that all units attach great importance to information security at present. I have a strong sense of security but lack of corresponding technical ability. I think the front-line information security staff have a greater demand for practical education and training. "