(ISC)2 has announced the results of its fourth Global Information Security Workforce Study (GISWS). Conducted for (ISC)2 by Frost & Sullivan, a total of 7,548 professionals were surveyed — the largest sampling to date — from North and Latin America; Europe, the Middle East and Africa (EMEA); and Asia Pacific (APAC). Following are some highlights and key demographic data that provide a snapshot of today’s information profession and where it is headed.
One of the most prominent results of the 2008 GISWS is that 70 percent of all respondents reported their own employees are the biggest threat to their organizations’ security. This statistic amplifies the findings of other studies that, contrary to mainstream opinion that effective security involves a series of technology quick fixes to protect your organization from danger “out there,” it’s an organization’s own employees who are both the weakest link and the strongest asset in securing the environment.
Eight-four percent of the security professionals who responded to the survey noted that preventing damage to their organizations’ reputation was the top priority for their security programs, an understandable sentiment considering the plethora of news coverage of security breaches in recent years. Coming in second and third, respectively, were preventing customer privacy violations and customer identity theft and fraud, in many ways reinforcing the first priority. All three priorities show a world that has changed from asking where the return-on-investment is in security to seeing it as essential to running an organization.
A new trend that emerged from the current GISWS is that the Payment Card Industry Data Security Standard (PCI DSS) compliance mandate appears to be driving small- to medium-sized businesses (SMBs) to require information security staff. PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for secure credit card payments. This new trend further demonstrates that the ROI of security professionals is moving down the chain from large corporations to SMBs that, at one time, would never have considered hiring a security administrator.
Some significant changes in the reporting structure were noted in the current GISWS compared to the 2006 study. Most notable was the increased percentage of security professionals who report to executive management. In the 2006 study, only 17 percent of (ISC)2-certified members reported to executive management, while that number rose to more than a quarter of all respondents in the current study. This increase in executive management reporting demonstrates the increased clout that information security professionals have within their organizations.
In accordance with this growing respect for the information security professional’s role, the average annual salary increased for all regions. Worldwide, the average annual salary for respondents who are (ISC)2 members was $92,575 as compared to $80,752 in 2006, an increase of 15 percent.
Work experience also played a factor, with 63 percent of (ISC)2 members with more than 15 years of information security experience reporting earning more than $100,000. (ISC)2 respondents in the Americas continued to lead the way in annual salary, with an average reported income of $100,967. Although APAC still trails the Americas and EMEA regions in terms of average salary at $63,181, this is still a significant increase from 2006’s findings of $52,912.
Worldwide, the majority of non-(ISC)2 member respondents (69 percent) reported earning salaries of less than $79,999, with the largest segment (33 percent) earning $39,999 or less.
If you are an information security professional, or if you’re responsible for hiring them, it’s good to have an understanding of how your peers are doing around the world. Following is a brief profile of the average professional from the GISWS.
Although both (ISC)2 members and non-members were included in the survey, the following demographics will focus on members, since they comprised the majority of respondents.
The (ISC)2 respondents surveyed are well educated, with roughly half having obtained a bachelor’s degree (49 percent) and just more than a third having obtained a master’s degree (36 percent).
Half of the respondents work in very large organizations (10,000-plus employees), and nearly 45 percent reported working for organizations with revenues between $500 million and $10 billion. The next largest segment of respondents (20 percent), however, reported working for small organizations (one to 499 employees). This contrast indicates a growing diversity within the field.
The most common types of organizations for which (ISC)2 member respondents indicated they worked were information technology (18 percent), professional services (18 percent) and banking (11 percent). The most commonly held job titles are security consultant (19 percent), security manager (12 percent), security analyst (11 percent), IT director/manager (10 percent) and security systems engineer (10 percent).
Despite the variety of job titles respondents hold, the overwhelming majority (70 percent) considers its current job function to fit under the umbrella of “information security professional,” as opposed to information technology professional. This differentiation is a positive trend for the industry, underscoring that information security is seen as a distinct field rather than simply an extension of IT or another technical profession.
The average number of years of information security experience reported by (ISC)2 members was just more than 10, with about half (49 percent) actively involved with information security for six to 10 years. Those with more than 15 years of experience reported a current role that is mostly managerial, while those with fewer than six years of experience have a role that is mostly technical.
What do these professionals spend their time doing on the job? Respondents indicated the most common job functions were researching new technologies (49 percent); developing internal security policies, standards and procedures (45 percent); meeting regulatory compliance (42 percent); internal and political issues (41 percent); and implementing new technologies (40 percent). In other words, information security professionals are busy fighting fires on all fronts.
Certification and Training Still in Demand
In this rapidly changing field, the 2008 GISWS shows that certification and training still play a major role in the profession to keep staff apprised of the latest security trends and issues.
Nine out of 10 (ISC)2 member respondents who are responsible for hiring information security staff indicated it is important for their staffs to have information security certifications, with 78 percent considering certification with (ISC)2 the most critical, followed closely by ISACA’s Certified Information Security Auditor (CISA) certification, at 76 percent. Employee competence (73 percent) and the quality of work (60 percent) were cited as the most prominent reasons their organizations require staff to have information security certifications.
Seven out of 10 non-(ISC)2 respondents who are responsible for hiring consider it important that their staffs have information security certifications, and four out of 10 non-(ISC)2 respondents indicated that their organizations require staff to have information security certifications. The most prominent reasons stated for this mandate include quality of work (70 percent), company policy (68 percent) and employee competence (61 percent).
The survey shows that training continues to grow, as one-third of (ISC)2 member respondents indicated they expect the amount of training and education they’ll receive in the coming year to increase. The survey shows a particular demand for training in applications and systems development security (43 percent), information risk management (43 percent), business continuity and disaster recovery planning (41 percent) and forensics (41 percent). Demand for training and education had the highest response from those security professionals with more than 15 years of experience.
The results of the 2008 GISWS validate that the field of information security continues to gain recognition as a profession in its own right. Organizations large and small are embracing the need for it.
Eddie Zeitler is executive director for (ISC)2. He can be reached at editor (at) certmag (dot) com.