You can not fight security threats with technology alone. That's why the focus is switching to the human factor, IDC's latest survey reveals.
Now in its third year, the annual IDC Global Information SecurityWorkforce Study reflects the state of the profession, its concerns,hopes and expectations of what the future will hold. In an increasinglyuncertain world, it will come as no surprise that infosec professionalsare finding themselves more in demand, while the responsibility forinformation risk management is starting to be distributed across theenterprise.
What is changing, however, is the nature of the job, the people comingin and the mix of skills needed to survive. The overwhelming message isthat reliance on technology is no longer enough and that risk awarenessis becoming a priority throughout organisations. While greater awarenessof security can only be good thing, there has been a slight decline inearning at the top-end of the salary scale, suggesting thatorganisations are looking for more distributed return on investment.
Businesses are also starting to shift the focus from dealing withsecurity threats as they happen towards implementing information riskmanagement programmes, often with the assistance of third-partyprofessional services.
According to IDC's survey, which questioned more than 4,000 informationsecurity professionals from over 100 countries, the three most crucialareas for solving security problems are management support for securitypolicies, making sure users follow policy and having qualified securitystaff.
The use of software and hardware was also rated as important, but didn'tmake the top three, highlighting how attitudes are shifting in favour ofpolicies, processes and people over the use of technology alone.
This finding is further supported by the fact that 40% of informationsecurity budgets are now being channelled into the development ofpersonnel, education and training departments, a rise of almost 5% onprevious years.
With around 39% of those questioned claiming they would be willing toincrease their spending by nearly a third in these areas, this trendlooks set to continue. Organisations in the Americas and EMEA regardsecurity risk management training as a priority, while regions such asthe Asia-Pacific rated it a close second.
With the number of information security professionals expected to riseat an annual rate of 7.8% over the next few years, from 1.5 million tojust over 2 million, and the amount of people employed in IT to increaseby around 4.6%, the need for training is obvious.
Responsibilities for IT security are now being shared acrossorganisations, with CEOs just as likely to be involved as other, moreC-level employees.
In companies where internal capabilities are limited, the help ofthird-party service firms is being enlisted instead.
Ed Zeitler, CISSP, executive director at (ISC)2, which commissioned thestudy, welcomes the findings. "Security breaches that have madeheadlines during the past year have been a result of human error. Thisreport further validates the conventional wisdom long held byinformation security professionals that people are the criticalcomponent of an effective information security programme" he said.
Behind the numbers
SC's Dan Kaplan caught up with Allan Carey, IDC's program manager ofsecurity products and services, to talk about the issues raised by thestudy.
What do the survey results tell you?
One of the biggest factors in security is the human factor, whichcontinues to be one of the weakest links. Information securityprofessionals are challenged with getting the support of management tobuy into and actually support management policies.
Second, it tells me that end-users themselves need to be better educatedabout security policies before we can really make them work. Third,organisations want the most qualified people as part of their securitystaff.
Are security professionals finding themselves in high demand?
Yes, and what organisations are looking for are individuals with theright combination of technology competencies, business acumen andunderstanding of the business. There's a demand for people who cantranslate the strategies of the business into security technologyrequirements, policies and processes to enable the company to achieveits goals.
How is the relationship between the IT professional and the C-levelexecutives and various boards of directors changing?
I think it has remained fairly consistent over the last year.Sarbanes-Oxley (SOX) is still a top priority for both executivemanagement and the boards of directors, and the amount of globalcompliance that's being placed upon organisations is increasing.Organisations around the world are starting to look at SOX as a bestpractice approach and Japan just came out with its own version.
Is that changing the relationship between the information securitycommunity and the business movers and shakers?
It's certainly making them talk more frequently than they have in thepast. Executives need assurance that the proper access controls are inplace to meet regulatory compliance.
Who is the information security professional reporting to?
About three out of ten are reporting to the IT department, followed atabout 20 per cent by the security or information assurance group.Another 17 per cent report to someone at the executive managementlevel.
It looks as if there's still limited reporting to the C-suite level,with a lot of responsibility for security still the preserve of the ITmanager.
Information security professionals have been reorganised under adifferent functional area within the management hierarchy in a feworganisations, but there hasn't been a significant shift across allindustries and company sizes.
We've heard some rumblings among industry players that the CIO is losingpower?
One thing we look at is ultimate accountability within anorganisation.
In last year's survey, a little over 30 per cent of respondents said theCIO was ultimately accountable for. This year that figure was also about30 per cent. Second to that was the CEO at 18.7 per cent, followed bythe CISO at 13 per cent and the CSO at 11 per cent.
Does it surprise you that various positions seem to have theresponsibility?
That's part of a continuous debate. I would say there is no definiteanswer.
Where is the future of education in this space?
The top-five areas where IT professionals see a growing demand fortraining and education are information risk management; forensics;business continuity and disaster recovery; application and systemdevelopment security; and security administration.
What stands out to you about that?
Risk management jumped business continuity and forensics. One of thereasons is regulatory compliance and the whole notion around riskmanagement. You see individuals responsible for risk management beingappointed and entire departments to deal with this area beingcreated.
Additional reporting by Emma Pritchard
The full report can be downloaded from the ISC2 website atwww.isc2.org.
A QUESTION OF PRIORITIES
Top 5 security technologies being deployed by region
Rank Americas EMEA Asia/Pacific
1 Biometrics Wireless security Wireless security
2 Intrusion prevention Biometrics Biometrics
3 Wireless security Forensics Forensics
4 Identity and access Intrusion prevention Storage security
5 Security event or Risk management Business continuity
information solutions and disaster recovery