The survey results were not released until after press time (October 25), but
SC Magazine reporter Dan Kaplan got a sneak peak at the findings when he caught up recently with Allan Carey, IDC's program manager of security products and services.
SC: Good afternoon, Allan. What sort of solutions are you hearing about from information security professionals?
Allan Carey: Identity and access management, intrusion detection. Also physical security ranks pretty high.
SC: Why are you seeing an increase in identity and access management?
AC: You can relate to some of the ID fraud and publicized situations about the breach of sensitive corporate information. And also the regulatory environment. Compliance is one of the biggest drivers.
SC: What do organizations value most?
AC: The top five are management support of security policies, followed by users following security policies, qualified security staff, software solutions and hardware solutions.
SC: What do these results tell you?
AC: One of the biggest factors in security is the human factor, and it continues to be one of the weakest links. Information security professionals are challenged with getting the support of management to buy into and actually support management policies. Second, it tells me end-users themselves need to be better educated of the security policies. Third, organizations want the most qualified people as part of their security staff.
SC: Are security pros finding themselves in high demand?
AC: They are. What organizations are looking for are individuals with the right combination of technology competencies and skill sets with business acumen and understanding the business. [There is a demand for individuals] who can translate the strategies of business into security technology requirements, policies and processes to enable the organization to achieve its goals.
SC: Are a lot of pros leaving their enterprise to find something better?
AC: That's a very good question. We didn't ask whether they've switched jobs in the past year.
SC: What about the influence of security within organizations. Is it growing?
AC: It remains relatively the same as last year. About 68 percent of respondents this year indicated that information security's influence significantly or slightly increased over the past year. Of that same population of professionals, 72 percent indicated that their influence would continue to increase over the next 12 months. Last year, it was around 70 percent.
SC: Why only a minor increase?
AC: Security professionals over the past couple of years have made headway. Regulatory compliance has certainly been a helping factor to drive security awareness at the executive level.
SC: How is the relationship changing between the IT pro and the C-level executives and various boards of directors?
AC: I think it's remained relatively consistent within the last year. Sarbanes-Oxley (SOX) is still a top priority with both executive management and the boards of directors, and the increasing amount of global compliance that's being placed upon organizations is increasing. Japan just came out with their version of SOX and other organizations around the world are starting to look at Sarbanes-Oxley as a best practice.
SC: Is that changing the relationship between the information security community and the business movers and shakers?
AC: It's certainly making them talk more frequently than they have in the past. Executives need assurance that the proper access controls are in place to meet regulatory compliance.
SC: To whom is the information security professional reporting?
AC: About three out of 10 are reporting to the IT department, followed at about 20 percent by the security or information assurance group. Another 17 percent report to someone at the executive management level.
SC: It looks like there's still limited reporting to the C-suite level, as opposed to departments that are more concerned with IT.
AC: There hasn't been a significant shift across all industries, across all company sizes, where information security professionals are being re-organized under a different functional area within the management hierarchy.
SC: Are you seeing a change in the salary structure?
AC: Depending on the region, I observed some changes in the salary range. I'll just throw out a few examples. In the U.S., the average salary across respondents remained basically the same. This year it was $99,634, last year was $99,336. But in the Central and South American regions, the average salary went from $40,725 to $62,079. In Western Europe, last year the average salary was $84,533, this year it was $80,520.
SC: To what do you attribute those increases and decreases?
AC: [European labor laws that make the maximum work week 35 hours] is one thing that comes to mind. Certainly in the major countries through Latin America — Argentina, Brazil, Mexico, just to name a few — over the past year, they have had an increasing emphasis on better information security.
SC: Yet within our country, it looks about the same.
AC: There doesn't seem to be any significant factor that would have either increased or decreased what we're seeing in the marketplace.
SC: We've heard some rumblings among industry players that the CIO is losing power?
AC: One thing we look at is ultimate accountability within an organization. From last year's survey, the CIO was ultimately accountable for a little over 30 percent of respondents. This year was also about 30 percent. Second to that was the CEO at 18.7 percent, followed by the CISO at 13 percent and the CSO at 11 percent.
SC: Does it surprise you that various positions seem to have the responsibility?
AC: That's part of a continuous debate. I would say there is no definite answer.
SC: Where is the future of education in this space?
AC: The top five overall areas where IT pros see a growing demand for training and education are information risk management; forensics; business continuity and disaster recovery; application and system development security; and security administration.
SC: What stands out to you about that?
AC: Risk management jumped business continuity and forensics. One of the reasons is regulatory compliance and the whole notion around risk management. You see departments for risk management and individuals responsible for risk management [being created]. And application security was eight last year. If you look at how some of the newest threats and attacks are being perpetrated, it's the application layer, not the network infrastructure layer.
Editor's note: Many of the survey questions contained a "Do Not Know" answer option, which could justify any percentage discrepancies in Carey's answers.