Study: Worries Regarding Corporate Reputation Making Information Security Top Priority Worldwide

• Apr 29, 2008

Avoiding reputation damage to the organization was viewed as a top priority for security programs by three-quarters of information security professionals surveyed in a worldwide study launched recently by (ISC)² .

The 2008 Global Information Security Workforce Study (“GISWS”) was conducted by analyst firm Frost & Sullivan on behalf of (ISC)². It surveyed 7,548 information security professionals, including more than 1,500 ‘C-suite’ executives and security managers, as well as IT and other professionals with responsibility for information security, from companies and public sector organizations in more than 100 countries.

Respondents came from the three major regions of the world: Americas (41 percent); Asia-Pacific (34 percent); and Europe, Middle East and Africa (25 percent). Web-based surveys were distributed to targeted information security respondents worldwide in the third quarter of 2007.

“This fourth edition of the study demonstrates more than ever before that information security has become a business imperative for organizations of all sizes, with far-reaching concerns such as corporate reputation, the privacy of customer data, identity theft, and breach of laws and regulations driving information security governance,” said Rob Ayoub, Frost & Sullivan industry manager, network security.

Pressure over data loss and compliance has driven accountability for information security to the executive level, with 49 percent of information security professionals reporting to executive management or boards of directors. Other study highlights include:

• Smaller organizations (up to 500 employees) accounted for nearly 60 percent of respondents, signifying a move from security as a priority for mostly larger organizations to organizations of all sizes due to business requirements and compliance, including the impact of the payment card industry’s PCI-DSS.
• A third of respondents said their primary functional responsibilities are mostly managerial. An additional 48 percent also reported that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus in their roles.
• Approximately 20 percent of respondents were at the executive (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer) or manager level.
• Communications skills were seen as “very important” or “important” by 81 percent of respondents to be a successful professional. Business skills were also seen as very important or important by 69 percent of respondents.
• Information security is moving beyond the perimeter and becoming more data-focused, protecting data both at rest and in transit, with wireless security solutions, cryptography, storage security and biometrics represented in the top five technologies being deployed in most regions.
• Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified as the most important factor in a security professional’s ability to protect the organization. In addition, 51 percent of respondents identified internal employees as the biggest threat to their organizations.
• Globally, average annual salaries for professionals with at least five years of experience are reported at $94,500 for respondents identifying themselves as members of (ISC)2 and $73,856 for all other participants. The majority of (ISC)2 members (70 percent) considered themselves to be information security professionals; the majority of non-members (66 percent) to be information technology professionals.
• The profession is maturing, with average experience levels reported at 9.5 years in the Americas, 7.1 years in Asia-Pacific, and 8.3 years in EMEA. Professionals across all regions also reported high levels of post-secondary education.

“This year’s study acknowledges that effective information security programs enable businesses to grow and prosper,” said Eddie Zeitler, CISSP, executive director of (ISC)2. “Consequently, professionals are being tasked more with the business of security, managing and consulting on its broad contribution to the business, while the administration of technical solutions is being integrated into the IT department.

“Opportunities in the information security field will continue to grow despite slower economic growth worldwide due to the increased pressure on professionals to ensure responsible and secure business interactions coming from consumers, B2B customers, strategic partners and regulatory bodies.”

Frost & Sullivan estimates the number of information security professionals worldwide to be approximately 1.66 million. This figure is expected to increase to almost 2.7 million professionals by 2012, displaying a compound annual growth rate (CAGR) of 10 percent. A strong outlook is also depicted for professional development in the sector, with the great majority of respondents expecting either stability or an increase in training budgets. Other highlights include:

• Respondents reported that information security spending on personnel remained stable in the Americas and EMEA in 2007 compared to 2006. In contrast, Asia-Pacific respondents anticipated an increase in information security spending across the board.
• Almost 60 percent of respondents with less than 10 years of experience reported an expected increase in training budgets over the next year, often to get up to speed on emerging technologies and threats. More than half of respondents in operational roles expected an increase.
• Top training topics included security administration, application and systems security, business continuity and disaster recovery planning, privacy, and information risk management.
• Seventy-eight percent of hiring managers cited certifications as either “very important” or “somewhat important.” While “quality of work” and “company policy” were the top reasons given for certification’s importance, a new reason -- “customer requirement” -- was identified by 33 percent of respondents requiring certifications.