IT security professionals all over the globe are getting the clout necessary to make infosec a business imperative – not just a technology one.
Security expert Jim Wade shared these and other exclusive details about the infosecurity profession's evolution over the past five years during the recent SC Forum in Napa Valley.
Infosec professionals have moved into the C-level suite – a station that had escaped them during the past five years, said Wade, president and chairman of the board at (ISC)2, who based his talk on the first Global Workforce Study of the Information Security Profession, which was published by non-profit group International Information Systems Security Certification Consortium (ISC)2 by research company IDC.
The first of its kind to profile information security professionals all over the globe, the study was conducted during the late spring and early summer of 2004 to offer up "meaningful research data about the information security profession for the first time to professionals, corporations, government agencies, (ISC)2 constituents, academia and other interested parties," according to the study.
Performed via a web-based portal, with traffic driven to the site through the use of email solicitations, IDC surveyed 5,371 respondents from companies and public-sector organizations around the globe.
The survey sought such information as the total number of information security professionals worldwide and per region, the growth outlook for the profession over the next few years worldwide and per region, salary and job trends in infosec, what the most important issues are to the average IT security professional, budget trends in the industry, whether training and certification is important to information security managers, and much more.
The study concluded that the infosec profession will change even more over the coming months and years as organizations try to confront growing risks. These risks are occurring because of the adoption of new technologies, the evolution of threats and attack types, and the convergence of IT security with such areas as physical security and internal risk management to become more of a business function, rather than simply an IT one.
In this article, we asked (ISC)2's chief executive officer and president James Duffy and IDC analyst Allan Carey to share some of their opinions about the information security profession and insight from the study through an email question and answer session held by SC Magazine.
James Duffy: "First, we'd like to explain why (ISC)2 chartered IDC to conduct the first study of the global information security profession.
"The (ISC)2 Global Workforce Study of the Information Security Profession was conducted to provide a detailed insight into the important trends and opportunities in the information security profession worldwide.
"The objective is to provide meaningful research data about the information security profession for the first time to a range of interested parties – including infosec professionals, corporations, government agencies, (ISC)2 constituents, and academia."
Illena Armstrong: So just how many CISSPs are there worldwide? And how many of these are senior security professionals – such as CSOs, CISOs, and so on? What about growth over the past few years?
JD: "There are currently more than 27,000 CISSPs worldwide, an increase of 800 percent from 2001. That number is expected to near 30,000 by the end of 2004, with nearly 11,000 CISSPs outside the U.S. Year over year growth is 38 percent, with the U.S. at 29 percent, international at 51 percent . We are projecting roughly 40,000 CISSP worldwide by the end of 2005."
Allan Carey: "IDC estimates that there are 1.3 million professionals worldwide. That number is expected to grow to 2.2 million by 2008 at a compounded annual growth rate of 13.7 percent.
In this survey, almost ten percent of executive management weighed in with their opinions of the information security profession, with the remainder of those questioned consisting of various security titles.
"From the survey, an average of 37 percent report to the IT department. Another 20 percent reported into executive management, while 19 percent were under the direct responsibility of the security department."
IA: Are there any particular skills required by each group ? What sort of training should they ensure they get? And should they be gravitating toward university programs offering undergrad and grad degrees in computer security or assurance?
JD: "As the study suggests, a proper education and continuous training are essential elements to the success of the information security professional – especially to keep up on new legislation, technologies and threats.
Their role requires an effective combination of networking experience, security knowledge and business acumen. Most hiring managers require both vendor-neutral certifications, such as the CISSP, and a vendor-specific certification that complements the computing environment which their organization uses.
As far as undergraduate education, the study shows most surveyed have an undergraduate degree and many have advanced degrees. (ISC)2 is a big supporter of information security higher education and created the (ISC)2 Associate for students who want to show employers they can pass the CISSP exam, but still need the requisite four years of experience to attain the certification."
IA: Where do you see this profession three to five years from now?
JD: "(ISC)2 agrees with the vast majority of survey respondents, and this was across all regions, who were highly positive about their personal career growth opportunities.
We think the survey shows that the information security profession's time has come, that the C-suite is respecting the role these professionals play, as well as respecting their need for continuing education and validation to maintain their effectiveness. We also believe that the professional's influence on business and government will grow exponentially as awareness continues to rise regarding the professional's critical role in protecting an organization's information assets. Legislation and governance regulations will continue to play a major factor in this growth as well."
IA: What, if any, regional differences did you find among these professionals, their various duties, and the corporate reporting structure?
AC: In more than 40 percent of AP-based organizations, members of the security group report into IT. Equally, 17 percent of surveyed security professionals report into either executive management or the security department. Interestingly, there was a higher percentage (21 percent) of IT security staff underneath the security department in EMEA-based organizations than in any other region.
Across organizations worldwide, however, finance and operations were the least likely groups to have the IT security group reporting to them.
IA: How fast is the security profession growing and what kinds of professionals are needed (high-level policy types, more technically-inclined pros, compliance experts, and so on)?
AC: The worldwide population of information security professionals is projected to grow at 13.7 percent year-over-year for the next five years. During this time, organizations will require many of the various types of security professionals, although their titles and responsibilities will more than likely change to reflect the maturing security demands of their employers.
IA: Are there any particular skills each group requires? What sort of training should they ensure they get? And should they gravitate toward university programs offering undergrad and grad degrees in computer security or assurance?
AC: On average, respondents stated they receive approximately ten days of security-related training each year. Most said that the amount of training received would either remain the same or increase next year. From an academic perspective, many higher education institutions worldwide have made significant investments in staff and curriculum to develop concentrated degrees and certificates at both the undergraduate and graduate levels. The original group of seven in the U.S. Centers of Academic Excellence in Information Assurance Education program has grown to more than 55, with at least one center in 27 of the 50 U.S. states.
IA: Which vertical markets seem to have the most security professionals and how is that changing, if at all?
AC: Respondents represented a range of different vertical industries. The largest group of responses (29 percent) came from the Professional Services industry, followed by the Government, financial services (including banking, insurance and other related services), and telecommunications. As one would imagine, the industries which are most heavily regulated had high representation, and this will probably not change drastically in the immediate future.
IA: What about salary now and in the future, and how is job growth looking?
AC: At the moment, salaries vary on a regional basis. More than 70 percent of AP respondents earned less than $60,000 USD annually, compared to 12 percent in the Americas and 18 percent in EMEA. Having said that, security professionals in the Americas and EMEA are more optimistic about their potential for career growth than their colleagues in AP. At the very least, they all believe that the job market, and in particular their careers and opportunities within the information security industry, will reasonably improve for the foreseeable future.
IA: What seemed to be some of the primary security and business issues noted by the security professionals queried? Did these concerns change with the vertical market and/or region? And are they the same worries that professionals feel they will have now and in the distant future?
AC: Through the spectrum of security topics, there were key areas where information security professionals see an unmet need for additional training and certification, including security management practices, telecommunications and network security, business continuity and disaster recovery planning.