Avoiding reputation damage to the organisation was viewed as the top priority for security programs by three quarters (71 percent globally, 75 percent in Europe, Middle East and Africa, or “EMEA”) of information security professionals surveyed in a worldwide study launched today by (ISC)2, the non-profit global leader in educating and certifying information security professionals throughout their careers.
The 2008 Global Information Security Workforce Study was conducted by analyst firm Frost & Sullivan on behalf of (ISC)². It surveyed 7,548 information security professionals, including over 400 CSO and CISOs and other professionals with responsibility for information security, from companies and public sector organisations in more than 100 countries. Respondents came from the three major regions of the world: Americas (41 percent), Europe, Middle East and Africa (EMEA) (25 percent), and Asia-Pacific (34 percent).
This fourth edition of the study demonstrated more clearly than ever before that information security has become a business imperative for organisations, with far-reaching concerns such as corporate reputation, the privacy of customer data (top priority for 70 percent globally, 69 percent EMEA), identity theft (high priority for 67 percent globally, 63 percent EMEA), and breach of laws and regulations (61 percent globally, 60 percent EMEA) motivating information security governance. Pressure over data loss and compliance has driven accountability for information security to the executive level, with the number of information security professionals reporting to executive management reported at 33 percent globally and 40 percent in EMEA, compared to 21 percent globally the first year (ISC)2 conducted a similar survey in 2004.
Other study highlights include:
- Smaller organisations (up to 500 employees) accounted for nearly 60 percent of respondents globally and in EMEA, signifying a move from security as a priority for mostly larger organisations to organisations of all sizes due to business requirements and compliance, including the impact of the payment card industry’s PCI-DSS.
- A third of respondents (36 percent globally, 35 percent EMEA) said their primary functional responsibilities are mostly managerial, with a higher proportion of respondents (48 percent globally, 43 percent EMEA) reporting that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus for their role.
- Approximately 20 percent of respondents were at the executive level (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer), with 16 percent (17 percent in EMEA) reporting directly to the board of directors.
- Communications skills were seen as very important or important by 81 percent of respondents (80 percent in EMEA) in order to be a successful professional. Business skills were also seen as very important or important by the majority of respondents, with 69 percent globally and 59 percent in EMEA.
- Information security governance is moving beyond the perimeter and becoming more data-focused, protecting data at rest and in transit with wireless security solutions, cryptography, storage security and biometrics featuring in the top five technologies being deployed in most regions. In EMEA, wireless security solutions, storage security and biometrics were identified as the top three.
- Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified globally as the most important factor in a security professional’s ability to protect the organisation. In addition, 51 percent (38 percent EMEA) of respondents identified internal employees as the biggest threat to their organisations.
- Globally, average annual salaries for professionals with five years of experience are reported at US$94,500 (EMEA US$94,115) for respondents identifying themselves as members of (ISC)2 and US$73,856 (EMEA US$66,751) for all other participants. The majority of members (70 percent) considered themselves to be information security professionals; the majority of non-members (66 percent) to be information technology professionals.
- The profession is maturing globally, with average experience levels reported at 9.5 years in the Americas, 8.3 years in EMEA, and 7.1 years in Asia-Pacific. Professionals across all regions also reported high levels of post-secondary education. EMEA had the highest number of respondents with masters and doctoral degrees at 37 percent (less than 30 percent in other regions) and 8 percent, respectively.
Frost & Sullivan estimates the number of information security professionals worldwide to be approximately 1.66 million. This figure is expected to increase to almost 2.7 million professionals by 2012, displaying a compound annual growth rate (CAGR) of 10 percent globally. EMEA, which is on track to grow by 13 percent from 2007 to 2012, is the fastest growing market for professionals. A strong outlook is also depicted for professional development in the sector, with the great majority of respondents expecting either stability or an increase in training budgets. Other highlights include:
- Respondents report information security spending on personnel remained stable in the Americas and EMEA in 2007 compared to 2006. In contrast, Asia-Pacific respondents anticipate an increase in information security spending across the board. Nearly 1/3 of respondents (27 percent in EMEA) reported an increase since the previous study.
- Almost 60 percent (almost 50 percent EMEA) of respondents with less than 10 years of experience reported an expected increase in training budgets over the next year, often to get up to speed on emerging technologies and threats. More than 51 percent (50 percent in EMEA) of people in operational roles expected an increase.
- Top training concerns included security administration, application and systems security, business continuity and disaster recovery planning, privacy and information risk management.
- 78 percent of hiring managers cited certifications as either “very important” or “somewhat important.” While “quality of work” and “company policy” were the top reasons given for certification’s importance, a new reason – “customer requirement” – was identified by 33 percent of respondents (38 percent in EMEA) requiring certifications.
For this study, Web-based surveys were distributed to targeted information security profession respondents worldwide in the third quarter of 2007. Approximately 20 percent of all respondents held executive positions, such as chief information officer or chief information security officer, while another 20 percent were directors or managers, and the remainder identified themselves as security practitioners, programmers, IT or network administrators.
To download a copy of the study, please visit www.isc2.org/workforcestudy.