You can not fight security threats with technology alone. That's why the focus is switching to the human factor, IDC's latest survey reveals.

Now in its third year, the annual IDC Global Information Security Workforce Study reflects the state of the profession, its concerns, hopes and expectations of what the future will hold. In an increasingly uncertain world, it will come as no surprise that infosec professionals are finding themselves more in demand, while the responsibility for information risk management is starting to be distributed across the enterprise.

What is changing, however, is the nature of the job, the people coming in and the mix of skills needed to survive. The overwhelming message is that reliance on technology is no longer enough and that risk awareness is becoming a priority throughout organisations. While greater awareness of security can only be good thing, there has been a slight decline in earning at the top-end of the salary scale, suggesting that organisations are looking for more distributed return on investment.

Businesses are also starting to shift the focus from dealing with security threats as they happen towards implementing information risk management programmes, often with the assistance of third-party professional services.

According to IDC's survey, which questioned more than 4,000 information security professionals from over 100 countries, the three most crucial areas for solving security problems are management support for security policies, making sure users follow policy and having qualified security staff.

The use of software and hardware was also rated as important, but didn't make the top three, highlighting how attitudes are shifting in favour of policies, processes and people over the use of technology alone.

This finding is further supported by the fact that 40% of information security budgets are now being channelled into the development of personnel, education and training departments, a rise of almost 5% on previous years.

With around 39% of those questioned claiming they would be willing to increase their spending by nearly a third in these areas, this trend looks set to continue. Organisations in the Americas and EMEA regard security risk management training as a priority, while regions such as the Asia-Pacific rated it a close second.

With the number of information security professionals expected to rise at an annual rate of 7.8% over the next few years, from 1.5 million to just over 2 million, and the amount of people employed in IT to increase by around 4.6%, the need for training is obvious.

Responsibilities for IT security are now being shared across organisations, with CEOs just as likely to be involved as other, more C-level employees.

In companies where internal capabilities are limited, the help of third-party service firms is being enlisted instead.

Ed Zeitler, CISSP, executive director at (ISC)2, which commissioned the study, welcomes the findings. "Security breaches that have made headlines during the past year have been a result of human error. This report further validates the conventional wisdom long held by information security professionals that people are the critical component of an effective information security programme" he said.

Behind the numbers

SC's Dan Kaplan caught up with Allan Carey, IDC's program manager of security products and services, to talk about the issues raised by the study.

What do the survey results tell you?

One of the biggest factors in security is the human factor, which continues to be one of the weakest links. Information security professionals are challenged with getting the support of management to buy into and actually support management policies.

Second, it tells me that end-users themselves need to be better educated about security policies before we can really make them work. Third, organisations want the most qualified people as part of their security staff.

Are security professionals finding themselves in high demand?

Yes, and what organisations are looking for are individuals with the right combination of technology competencies, business acumen and understanding of the business. There's a demand for people who can translate the strategies of the business into security technology requirements, policies and processes to enable the company to achieve its goals.

How is the relationship between the IT professional and the C-level executives and various boards of directors changing?

I think it has remained fairly consistent over the last year. Sarbanes-Oxley (SOX) is still a top priority for both executive management and the boards of directors, and the amount of global compliance that's being placed upon organisations is increasing. Organisations around the world are starting to look at SOX as a best practice approach and Japan just came out with its own version.

Is that changing the relationship between the information security community and the business movers and shakers?

It's certainly making them talk more frequently than they have in the past. Executives need assurance that the proper access controls are in place to meet regulatory compliance.

Who is the information security professional reporting to?

About three out of ten are reporting to the IT department, followed at about 20 per cent by the security or information assurance group. Another 17 per cent report to someone at the executive management level.

It looks as if there's still limited reporting to the C-suite level, with a lot of responsibility for security still the preserve of the IT manager.

Information security professionals have been reorganised under a different functional area within the management hierarchy in a few organisations, but there hasn't been a significant shift across all industries and company sizes.

We've heard some rumblings among industry players that the CIO is losing power?

One thing we look at is ultimate accountability within an organisation.

In last year's survey, a little over 30 per cent of respondents said the CIO was ultimately accountable for. This year that figure was also about 30 per cent. Second to that was the CEO at 18.7 per cent, followed by the CISO at 13 per cent and the CSO at 11 per cent.

Does it surprise you that various positions seem to have the responsibility?

That's part of a continuous debate. I would say there is no definite answer.

Where is the future of education in this space?

The top-five areas where IT professionals see a growing demand for training and education are information risk management; forensics; business continuity and disaster recovery; application and system development security; and security administration.

What stands out to you about that?

Risk management jumped business continuity and forensics. One of the reasons is regulatory compliance and the whole notion around risk management. You see individuals responsible for risk management being appointed and entire departments to deal with this area being created.

Additional reporting by Emma Pritchard

The full report can be downloaded from the ISC2 website at

Top 5 security technologies being deployed by region

Rank Americas EMEA Asia/Pacific
1 Biometrics Wireless security Wireless security
solutions solutions
2 Intrusion prevention Biometrics Biometrics
3 Wireless security Forensics Forensics
4 Identity and access Intrusion prevention Storage security
5 Security event or Risk management Business continuity
information solutions and disaster recovery
management solutions