Portal Home | IS News Menu | Portal Menu | ISB Menu | Main Content
Security: People and Processes More Important Than Technology
25 Oct 03:28

The International Information Systems Security Certification Consortium [(ISC)²], a non-profit education and certification company, has announced the results of the third annual Global Information Security Workforce Study, conducted by global analyst firm IDC on behalf of (ISC)².

According to more than 4,000 information security professionals from more than 100 countries in the largest study of its kind, the most important elements in effectively securing their organisations infrastructure are (in order of importance):

  • management support of security policies
  • users following security policy
  • qualified security staff
  • software solutions and
  • hardware solutions

According to the study, the top three success factors highlight the need for public and private entities to focus more time and attention on policies, processes and people, all areas which have been traditionally overlooked in favor of trusting hardware and software to solve security problems. Survey respondents say organisations are now beginning to recognise that technology is an enabler, not the solution, for implementing and executing a sound security strategy.

The study also found that more than 40 per cent of information security budgets is spent on personnel, education and training, a rise of around 5 per cent on previous years. 45 per cent of respondents in Europe, Middle East and Africa (EMEA) (around 915 respondents) said that they would increase these budgets by nearly 21 per cent (globally 39 per cent of respondents said theyd increase budgets by nearly a third).

For organisations to proactively secure and protect their information, financial and physical assets requires the unconditional commitment to security at the financial, management and operational levels, said Allan Carey, program manager at IDC who led the study. Security management will always require the proper balance between people, policies, processes and technology to effectively mitigate the risks associated with todays digitally connected business environment.

IDC analysed responses from 4,016 full-time information security professionals in more than 100 countries. Respondents came from three major regions of the world: North, Central and South America (57.3 per cent), EMEA (22.8 per cent) and A-P (Asia-Pacific, including Japan) (19.5 per cent), and represent organisations from both the public and private sectors, different vertical industries, and varying core competencies and skill sets. Respondents typically had purchasing, hiring and/or management responsibilities.

Other highlights from the 2006 study include:

  • IDC estimates the number of information security professionals worldwide in 2006 to be 1.5 million, an 8.1 per cent increase over 2005. This figure is expected to increase to slightly more than 2 million by 2010, displaying a compound annual growth rate (CAGR) of 7.8 per cent from 2005 to 2010. As a comparison, the projected growth in the number of IT employees globally in the same timeframe is 4.6 per cent.
  • As an emerging market, Central Europe, Middle East and Africa (CEMEA) offers attractive employment opportunities for information security professionals. Over the next five years, IDC estimates the number of professionals in EMEA to grow from 348,162 to 499,962.
  • Average salaries globally are US 81,000 (64,031) compared to 70,169 (55,617) in EMEA, 76,890 in the UK, 41,533 in France and 49,221 in Germany.
  • Responsibility for executing a sound security strategy is being increasingly shared across the organisation, according to the study, making C-level officers accountable as part of a well-defined and articulated risk management program. Continuing a trend identified in last years study, responsibility for securing information assets is shifting from the chief information officer (CIO) into other areas of senior management and business, including the chief executive officer, chief financial officer, chief risk officer and chief information security officer, as well as legal and compliance departments.
  • Common security technologies being implemented by organisations across all regions are biometrics, wireless security, intrusion prevention and forensics tools. Biometrics ranked either No. 1 or 2 across all regions.
  • The area of information security risk management has risen to the top as a training priority in both the Americas and EMEA and is No. 2 in A-P. This will continue for the foreseeable future as organisations struggle to gain control over their risk posture, develop a flexible framework to quickly adapt to new environmental factors, and provide visibility into their greatest risks. Business continuity and forensics are also topics where professionals are looking to increase their knowledge base and sharpen their skills.
  • During the past 12 months, 67 per cent of security practitioners believe their efforts were effective in influencing management and the business stakeholders to drive security awareness and responsibility to their organizations. Looking forward to 2007, 73 per cent believe that they will be able to drive change in their organisations.
  • The importance of information security certifications as a hiring criterion remained high with 85 per cent of hiring managers but was down from a peak of 92 percent in 2004.
  • To compensate for limited resources and internal capabilities, organisations are engaging third-party services firms who have been able to attract qualified information security professionals.

IDC believes that the security professionals who participated in this study are taking their message to the masses and acting as change agents within their organisations to ensure information security is recognised for its positive contributions to the business, as opposed to the sunk cost it has been perceived to be in past years, Carey said. The message of people and processes being absolutely crucial to effective information security is finally starting to resonate with business leaders.

Security breaches that have made headlines during the past year have been a result of human error, and this years Global Information Security Workforce Study further validates the conventional wisdom long-held by information security professionals that people are the critical component of an effective information security program, said Ed Zeitler, CISSP, executive director, (ISC)². The fact that professionals are being heard by the C-suite and security responsibility is being shared across the organisation demonstrates that the information security profession has arrived and is being valued as an indispensable business component.

The 2006 Global Information Security Workforce Study (IDC Doc
203970, October 2006) was conducted by IDC and sponsored by (ISC)² to provide detailed insight into important trends and opportunities within the information security profession. The study aims to provide a clearer understanding of how professionals are compensated, how their organisations view security, and next steps required to advance information security careers and the profession.

Related links: (Open in a new window.)
External link www.isc2.org

View Printable View printable version (opens in new window)
Back Back