The International Information Systems Security Certification Consortium [(ISC)2], the non-profit international leader in educating and certifying information security professionals worldwide and currently celebrating the Year of the Information Security Professional, today announced the results of the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by (ISC)
. Results revealed the profession continued to mature, and ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their companyís information security.
IDC expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. The study also found that security is becoming operationalised within organisations as they attempt to align their business and security strategies with the goal of establishing a comprehensive information risk management program.
The majority of respondents ñ 73% (77.8% EMEA) ñ expect their influence with executives and the board of directors to increase in the coming 12 months, as dialogue between corporate executives and information security professionals has evolved from a technical security discussion to one of risk management strategies.
ìThis year, professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management,î said Rolf Moulton, CISSP-ISSMP, president and CEO (interim) of (ISC)2. ìThis demonstrates that the competency of information security professionals is being recognised as the key to an effective security strategy.î
IDC analysed responses from 4,305 full-time information security professionals in more than 80 countries worldwide that had purchasing, hiring and/or management responsibilities, with nearly half employed by organisations with US$1 billion or more in annual revenue. Respondents represent organisations of various sizes from public and private sectors, different vertical industries, and varying core competencies and skill sets from organisations around the world. Highlights from the 2005 report include:
Nearly 21% (29% EMEA) of respondents, up from 12% (16.9% EMEA)in 2004, say their CEO is now ultimately responsible for security, while those saying that the board of directors is now ultimately responsible for security rose nearly 6% from 2.5% in 2004. Respondents from the EMEA Region recorded the highest incidence of responsibility ultimately being with the board of directors with 10.75% overall, and 11.5% from Western European countries.
Across all regions, organisations spend on average more than 43% of their IT security budgets on personnel, education and training. Overall, respondents are anticipating their level of education and training to increase by 22% over the coming year.
Professionals are looking for additional training in business continuity (50.5% globally; 50.6% EMEA), forensics (50.3% globally, 42.86% EMEA), and risk management (48% globally, 51.29% EMEA), all of which factored higher than the demand indicated in 2004. In regions outside the Americas, security professionals ranked ISO/IEC 17799 as their top priority of interest for additional security training (53.9% in EMEA).
More than 60% of respondents (62.2 % in EMEA) indicated that it was their intention to acquire at least one information security certification within the next 12 months. Nearly one quarter, 23.3%, of respondents in EMEA identified that it was company policy to require certifications. This compared to 15.9% of respondents in the Americas.
More individuals reported attaining a masterís degree or its equivalent ñ 42% in EMEA, compared with 32% in 2004. Within the Americas, the number increased to 34% from 28% over 2004. A doctorate level or equivalent was reported by 11% (6% EMEA) of information security professionals worldwide.
Some common areas where organisations are investing their security dollars are wireless security, identity and access management, business continuity, and security event or information management. Biometrics appear to play a bigger role in the developing markets of Latin America and Eastern Europe, with 10% more respondents indicating they would be deploying this technology, than in more mature markets.
ìThis yearís study shows that information security has become a critical component of the enterprise. Complex security solutions, regulatory requirements and encroaching threat advances are driving organisations to entrench security strategies and policies and rely on highly educated, highly qualified professionals who must perform an ever-growing list of activities such as threat mitigation, compliance auditing, and proactive security management and monitoring,î said Allan Carey, the IDC analyst who led the study.
The market outlook remains positive for individuals seeking to work in the information security field. IDC estimates the number of security professionals worldwide in 2005 to be 1.4 million, a 9% (8.8% EMEA) increase over 2004. This figure is expected to increase to more than 1.9 million by 2009, representing a compounded annual growth rate of 8.5%(7.9% EMEA) from 2004 to 2009.
ìA major goal of the Year of the Information Security Professional program was to encourage organisations to invest in their most important information security asset ñ their people,î added John Colley, CISSP, chairman of the (ISC) board of directors. ìWe are pleased to see that this is becoming a reality in the marketplace and that businesses and governments alike are beginning to recognise that people are the key to any security program.î
The 2005 Global Information Security Workforce Study was conducted by IDC on behalf of (ISC) to provide detailed insight into important trends and opportunities within the information security profession. The study provides a clearer understanding of how professionals are compensated, how their organisations view security, and next steps required to advance information security careers and the profession. To download a copy of the study, please visit
(ISC)2 study says information security professionals are gaining influence in the board room
Boards of Directors, CEOs and CISOs/CSOs Are More Accountable for Information Security and Risk Management Strategies
