Ultimate responsibility for information security is moving up corporate management hierarchies, as board-level directors and CEOs - or CISO/CSOs - are increasingly held accountable for safeguarding IT infrastructures, new research has revealed.
The second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by not-for-profit IT security educational organization, the International Information Systems Security Certification Consortium (ISC)2, expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies.
The study also found that security is becoming operationalized within organizations as they attempt to align their business and security strategies with the goal of establishing a comprehensive information risk management program. The majority of respondents – 73 percent globally (77.8 percent in EMEA) – expect their influence with executives and board-level directors to increase in the coming 12 months. The main reason for this was cited as the evolution of dialogue between corporate executives and information security professionals from a technical security discussion to one of risk management strategies.
"This year, professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management," said Rolf Moulton, CISSP-ISSMP, president and CEO (interim) of (ISC)2. "This demonstrates that the competency of information security professionals is being recognized as the key to an effective security strategy."
IDC analysed responses from 4,305 full-time information security professionals in more than 80 countries worldwide that had purchasing, hiring or management responsibilities. Nearly half were employed by organizations with $1 billion or more in annual revenue. Respondents represent organisations of various sizes from public and private sectors, different vertical industries and varying core competencies and skill sets from organisations around the world.
Highlights from the 2005 report include:
Nearly 21 percent globally (29 percent EMEA) of respondents, up from 12 percent (17 percent EMEA)in 2004, say their CEO is now ultimately responsible for security, while those saying that the board of directors is now ultimately responsible for security rose nearly 6 percent from 2.5 percent in 2004. Respondents from the EMEA region recorded the highest incidence of responsibility ultimately being with the board of directors with 11 percent overall, and 11.5 percent from Western European countries.
Across all regions, organisations spend on average more than 43 percent of their IT security budgets on personnel, education and training. Overall, respondents are anticipating their level of education and training to increase by 22 percent over the coming year.
Professionals are looking for additional training in business continuity (50.5 percent globally, 51 percent EMEA), forensics (50 percent globally, 43 percent EMEA) and risk management (48 percent globally, 51 percent EMEA), all of which factored higher than the demand indicated in 2004. In regions outside the Americas, security professionals ranked ISO/IEC 17799 as their top priority of interest for additional security training (54 percent in EMEA).
More than 60 percent of respondents (62 percent in EMEA) indicated that it was their intention to acquire at least one information security certification within the next 12 months. Nearly one quarter, 23 percent, of respondents in EMEA identified that it was company policy to require certifications. This compared to 16 percent of respondents in the Americas.
More individuals reported attaining a master's degree or its equivalent – 42 percent in EMEA, compared with 32 percent in 2004. Within the Americas, the number increased to 34 percent from 28 percent over 2004. A doctorate level or equivalent was reported by 11 percent (6 percent EMEA) of information security professionals worldwide.
Some common areas where organizations are investing their security dollars are wireless security, identity and access management, business continuity and security event or information management. Biometrics appear to play a bigger role in the developing markets of Latin America and Eastern Europe, with 10 percent more respondents indicating they would be deploying this technology, than in more mature markets.
"This year's study shows that information security has become a critical component of the enterprise. Complex security solutions, regulatory requirements and encroaching threat advances are driving organisations to entrench security strategies and policies and rely on highly educated, highly qualified professionals who must perform an ever-growing list of activities such as threat mitigation, compliance auditing, and proactive security management and monitoring," said Allan Carey, the IDC analyst who led the study.
The market outlook remains positive for individuals seeking to work in the information security field. IDC estimates the number of security professionals worldwide in 2005 to be 1.4 million, a 9 percent (8.8 percent EMEA) increase over 2004. This figure is expected to increase to more than 1.9 million by 2009, representing a compounded annual growth rate of 8.5 percent (7.9 percetn EMEA) from 2004 to 2009.