Study: Worries Over Coporate Reputation Making Information Security a Top Priority Worldwide

Author:

The 2008 Global Information Security Workforce Study (GISWS) was conducted by analyst firm Frost & Sullivan on behalf of (ISC)².  It surveyed 7,548 information security professionals, including over 1,500 C-suite executives and security managers, from companies and public sector organizations in more than 100 countries. Respondents came from the three major regions of the world: Americas (41%), Europe, Middle East and Africa (EMEA) (25%), and Asia-Pacific (34%). Web-based surveys were distributed to targeted information security profession respondents worldwide in the third quarter of 2007.

“This fourth edition of the study demonstrates more than ever before that information security has become a business imperative for organizations of all sizes, with far-reaching concerns such as corporate reputation, the privacy of customer data, identity theft and breach of laws and regulations driving information security governance,” according to Rob Ayoub, Frost & Sullivan industry manager, network security. 

Pressure over data loss and compliance has driven accountability for information security to the executive level with 49% of information security professionals reporting to executive management or boards of directors, compared to 21% the first year (ISC)² conducted a similar survey in 2004. Other study highlights include:

• Smaller organizations (up to 500 employees) accounted for nearly 60% of respondents, signifying a move from security as a priority for mostly larger organizations to organizations of all sizes due to business requirements and compliance, including the impact of the payment card industry’s PCI-DSS.
• A third of respondents said their primary functional responsibilities are mostly managerial. An additional 48% of respondents also report that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus in their roles. 
• Approximately 20% of respondents were at the executive (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer) or manager level.
• Communications skills were seen as “very important” or “important” by 81% of respondents to be a successful professional. Business skills were also seen as very important or important by 69% of respondents.
• Information security is moving beyond the perimeter and becoming more data-focused, protecting data at rest and in transit with wireless security solutions, cryptography, storage security and biometrics represented in the top five technologies being deployed in most regions.
• Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified as the most important factor in a security professional’s ability to protect the organization. In addition, 51% of respondents identified internal employees as the biggest threat to their organizations.
• Globally, average annual salaries for professionals with five years of experience are reported at US$94,500 for respondents identifying themselves as members of (ISC)² and US$73,856 for all other participants. The majority of (ISC)² members (70%) considered themselves to be information security professionals; the majority of non-members (66%) to be information technology professionals.
• The profession is maturing, with average experience levels reported at 9.5 years in the Americas, 8.3 years in EMEA, and 7.1 years in Asia-Pacific. Professionals across all regions also reported high levels of post-secondary education.