The Demand for Security Certification
It’s no secret that technology is creating a more connected world every day. But as new technologies are released and adopted, the threats also increase. Historically, corporate America has been slow to install new security measures around these technologies until a problem gets out of control (for example, instant messaging). Instead, most companies are in continual catch-up mode and require a significant investment to overcome the emerging threat to their intellectual property, organizational assets and customer data.
These emerging threats, along with a much more demanding regulatory environment, are creating a groundswell of demand for highly qualified, certified information security professionals who possess knowledge of general principles, as well as skills in areas specific to the needs of the employer.
Internal and External Threats
One of the most pressing threats today is “the insider,” an individual who may be an employee, contractor, vendor or strategic partner that accesses a network or computer environment for non-business purposes. The annual security study from the Computer Security Institute (CSI) and the FBI has long indicated that one of the greatest threats to an enterprise is the insider, but there’s little case law from investigations to support that finding, so the emphasis in most organizations is still on hackers. However, those statistics shouldn’t divert us from the fact that we need to pay attention to internal resources and how they’re using the network.
For instance, it’s estimated that insiders waste up to three hours each day on the Internet engaged in activities that deplete resources and business productivity. Most companies allow some personal use and are reluctant to establish an onerous policy. But those companies that are monitoring Internet usage by their employees and partners are discovering shocking information, such as regular access to pornographic sites or use of instant messaging (IM) to bypass regulatory requirements with financial institutions. (The Securities and Exchange Commission requires institutions to keep records of all e-mails for two years.)
Another significant threat is intellectual property theft. With today’s ability to move data, individuals can walk into an environment with a thumb drive and copy large quantities of data practically undetected. Few organizations restrict access to desktop or laptop computing resources to prevent or detect the introduction of unauthorized storage media. People who have physical access to an area can gain entry to unprotected systems and perhaps get access to proprietary data much easier than before.
Another threat to intellectual property is the usage of IM. In the past, information security professionals have placed so much emphasis on protecting and regulating corporate e-mail structures that few organizations have looked at IM as a security issue and don’t recognize the need to regulate it as they do e-mail.
Voice over Internet Protocol (VoIP) is another emerging threat. In the past, companies regulated their telecommunications bills because they found that employees abused telecommunications resources. With the speed and the ability to transfer information via voice and data over the Internet, companies need to devise a new strategy to monitor the use of that resource and the data that’s being transmitted outside their own environment.
In addition, companies are experiencing pressure from external regulators and new corporate governance rules such as Sarbanes-Oxley, which requires publicly traded companies to adequately protect their systems and information assets that impact the financial position. Organizations are making significant investments to comply with recent regulations and must anticipate the continuing pressure from regulatory requirements to protect sensitive and critical information.
To neutralize these threats and comply with new regulations, organizations are increasingly looking to highly trained information security professionals for the answer. Companies understand that they need to hire the right professionals with the right expertise. Otherwise, the potential negative impact on their business could be enormous.
Security Skills Demand
The demand in recent years for these specific security skill sets and capabilities has outpaced the demand for more generalized IT knowledge, and the population of IT security professionals has grown quickly. In 2004, IT research analyst group IDC conducted the first major study of the global information security workforce, sponsored by the International Information Systems Security Certification Consortium (ISC)2. IDC analyzed responses from 5,371 full-time information security professionals in more than 80 countries that had purchasing, hiring or management responsibilities, with nearly half employed by organizations with $1 billion or more in annual revenue. The goal of the study was to provide comprehensive, meaningful research data about the information security profession to professionals, corporations, government agencies, academia and others.
The study estimated the number of information security professionals worldwide in 2004 to be 1.3 million, a 14.5 percent increase over 2003. The number of professionals is expected to increase to 2.1 million by 2008 at a compound annual growth rate (CAGR) of 13.7 percent from 2003. Asia-Pacific is expected to grow at a faster CAGR of 18.3 percent during the same period, while the Americas and Europe, Middle East and Africa (EMEA) are projected to grow at a 12 percent CAGR and an 11.4 CAGR, respectively.
Career opportunities are abundant in the field today. People can make security their career choice but develop other areas of expertise, such as voice, data or video. Others may choose a career path that leads to a management position, ranging from business continuity to chief security officer (CSO). Another career path for security practitioners may be the measurement and control of enterprise systems to provide independent assurance to the C-suite. Yet another choice could be information security product development and sales.
More than 97 percent of the survey’s respondents had moderate to very high expectations for career growth. The study stated that security professionals have experienced growth in job prospects, career advancement, higher base income and salary premiums for certification at faster rates than other areas of information technology. All this for a profession that barely existed 10 years ago.
A Shift in Corporate Culture
In addition to a highly positive outlook for career opportunities, information security professionals also will find themselves in positions of higher responsibility in coming years. The study found that while most information security professionals reported to the IT department, many others were increasingly reporting directly to C-suite executives or a separate security department. This change has been slow to come and is still developing gradually, primarily because it’s a change in the mindset about what information security is and isn’t. Most C-suite executives see the IT department as the caretaker of all things related to information resources within an enterprise. It is logical to assume that the security of those resources should be the responsibility of that group.
However, the traditional corporate governance model has always separated duties and responsibilities in order to offer a system of checks and balances. This hasn’t been true with information security. In most organizations, the information security function has been under the control of the senior official charged with the development and operation of those resources, often the CIO. As a result, the culture of many organizations has to change in order to accommodate the movement or the transition of the information security function outside of the