|
Workforce Security Report 2008
24/04/08
Avoiding
reputation damage to the organisation was viewed as the top priority
for security programs by three quarters (71 percent globally, 75
percent in Europe) of information security professionals surveyed in
a worldwide study launched by ISC-squared.
The 2008 Global Information Security Workforce Study was conducted
by analyst firm Frost & Sullivan on behalf of (ISC). It surveyed
7,548 information security professionals, including over 400 CSO and
CISOs, and other professionals with responsibility for information
security, from companies and public sector organisations in more
than 100 countries. Respondents came from the three major regions of
the world: Americas (41 percent), Europe (25 percent), and
Asia-Pacific (34 percent).
This fourth edition of the study demonstrated more clearly than ever
before that information security has become a business imperative
for organisations, with far-reaching concerns such as corporate
reputation, the privacy of customer data (top priority for 70
percent globally, 69 percent EMEA), identity theft (high priority
for 67 percent globally, 63 percent EMEA), and breach of laws and
regulations (61 percent globally, 60 percent EMEA) motivating
information security governance. Pressure over data loss and
compliance has driven accountability for information security to the
executive level, with the number of information security
professionals reporting to executive management reported at 33
percent globally and 40 percent in EMEA, compared to 21 percent
globally the first year (ISC)2 conducted a similar survey in 2004.
Other study highlights include:
• Smaller organisations (up to 500 employees) accounted for nearly
60 percent of respondents globally and in EMEA, signifying a move
from security as a priority for mostly larger organisations to
organisations of all sizes due to business requirements and
compliance, including the impact of the payment card industry’s
PCI-DSS.
• A third of respondents (36 percent globally, 35 percent EMEA) said
their primary functional responsibilities are mostly managerial,
with a higher proportion of respondents (48 percent globally, 43
percent EMEA) reporting that their functional responsibilities will
be mostly managerial in the next two to three years, suggesting a
changing focus for their role.
• Approximately 20 percent of respondents were at the executive
level (Chief Information Officer, Chief Information Security
Officer, Chief Security Officer, Chief Risk Officer), with 16
percent (17 percent in EMEA) reporting directly to the board of
directors.
• Communications skills were seen as very important or important by
81 percent of respondents (80 percent in EMEA) in order to be a
successful professional. Business skills were also seen as very
important or important by the majority of respondents, with 69
percent globally and 59 percent in EMEA.
• Information security governance is moving beyond the perimeter and
becoming more data-focused, protecting data at rest and in transit
with wireless security solutions, cryptography, storage security and
biometrics featuring in the top five technologies being deployed in
most regions. In EMEA, wireless security solutions, storage security
and biometrics were identified as the top three.
• Information security awareness is appreciated as a significant
factor in effective information security management: Users following
information security policy was identified globally as the most
important factor in a security professional’s ability to protect the
organisation. In addition, 51 percent (38 percent EMEA) of
respondents identified internal employees as the biggest threat to
their organisations.
• Globally, average annual salaries for professionals with five
years of experience are reported at US$94,500 (EMEA US$94,115) for
respondents identifying themselves as members of (ISC)2 and US$73,
856 (EMEA US$66,751) for all other participants. The majority of
members (70 percent) considered themselves to be information
security professionals; the majority of non-members (66 percent) to
be information technology professionals.
• The profession is maturing globally, with average experience
levels reported at 9.5 years in the Americas, 8.3 years in EMEA, and
7.1 years in Asia-Pacific. Professionals across all regions also
reported high levels of post-secondary education. EMEA had the
highest number of respondents with masters and doctoral degrees at
37 percent (less than 30 percent in other regions) and 8 percent,
respectively.
“This year’s study offers evidence of changing priorities for
companies, and subsequently a changing focus for information
security professionals. Professionals are being tasked more with the
business of security, managing and consulting on its broad
contribution to the business, while the administration of the
technical solutions is being integrated into the IT department,”
says John Colley, CISSP, managing director of (ISC)2 in EMEA. “It is
understandable that the field is on pace to continue strong growth,
despite slowing economic conditions worldwide, with pressure on
professionals to ensure responsible, secure business practice coming
from consumers, B2B customers, partners and regulation.”
Frost & Sullivan estimates the number of information security
professionals worldwide to be approximately 1.66 million. This
figure is expected to increase to almost 2.7 million professionals
by 2012, displaying a compound annual growth rate (CAGR) of 10
percent globally., EMEA, which is on track to grow by 13 percent
from 2007 to 2012, is the fastest growing market for professionals.
A strong outlook is also depicted for professional development in
the sector, with the great majority of respondents expecting either
stability or an increase in training budgets. Other highlights
include:
• Respondents report information security spending on personnel
remained stable in the Americas and EMEA in 2007 compared to 2006.
In contrast, Asia-Pacific respondents anticipate an increase in
information security spending across the board. Nearly 1/3 of
respondents (27 percent in EMEA) reported an increase since the
previous study.
• Almost 60 percent (almost 50 percent EMEA) of respondents with
less than 10 years of experience reported an expected increase in
training budgets over the next year, often to get up to speed on
emerging technologies and threats. More than 51 percent (50 percent
in EMEA) of people in operational roles expected an increase.
• Top training concerns included security administration,
application and systems security, business continuity and disaster
recovery planning, privacy and information risk management.
• 78 percent of hiring managers cited certifications as either “very
important” or “somewhat important.” While “quality of work” and
“company policy” were the top reasons given for certification’s
importance, a new reason – “customer requirement” – was identified
by 33 percent of respondents (38 percent in EMEA) requiring
certifications.
For this study, Web-based surveys were distributed to targeted
information security profession respondents worldwide in the third
quarter of 2007. Approximately 20 percent of all respondents held
executive positions, such as chief information officer or chief
information security officer, while another 20 percent were
directors or managers, and the remainder identified themselves as
security practitioners, programmers, IT or network administrators.
To download a copy of the study, please visit
www.isc2.org/workforcestudy.
Nick Gibson, editor
|
