2007'02.11.Sun
People and Processes More Important than Technology in Securing the Enterprise, According to Global Survey of 4,000 Information Security Professionals
October 26, 2006
3rd Annual (ISC)2-Sponsored Global Information Security Workforce Study Says Asia-Pacific Offers Attractive Employment Incentives and Opportunities for Information Security Professionals
HONG KONG, Oct. 26 /Xinhua-PRNewswire/ -- The
International Information Systems Security Certification
Consortium ((ISC)2(R)), the non-profit global leader in
educating and certifying information security professionals
throughout their careers, today announced the results of the
third annual Global Information Security Workforce Study,
conducted by global analyst firm IDC and sponsored by
(ISC)2.
According to more than 4,000 information security
professionals in more than 100 countries in the largest
study of its kind, the most important elements in
effectively securing their organization's infrastructure
are (in order of importance):
-- Management support of security policies
-- Users following security policy
-- Qualified security staff
-- Software solutions
-- Hardware solutions
According to the study, the top three success factors
highlight the need for public and private entities to focus
more time and attention on policies, processes and people,
all areas which have been traditionally overlooked in favor
of trusting hardware and software to solve security
problems. Survey respondents say organizations are now
beginning to recognize that technology is an enabler, not
the solution, for implementing and executing a sound
security strategy.
The study also found that responsibility for executing
a sound security strategy is being increasingly shared
across the organization, making C-level officers
accountable as part of a well-defined and articulated risk
management program. Continuing a trend identified in last
year's study, responsibility for securing information
assets is shifting from the Chief Information Officer (CIO)
into other areas of senior management and business,
including chief executive officer, chief financial officer,
chief risk officer and chief information security officer,
as well as legal and compliance departments.
"For organizations to proactively secure and
protect their infrastructure, information, financial and
physical assets requires the unconditional commitment to
security at the financial, management and operational
levels," said Allan Carey, program manager at IDC who
led the study. "Security management will always
require the proper balance between people, policies,
processes and technology to effectively mitigate the risks
associated with today's digitally connected business
environment."
IDC analyzed responses from 4,016 full-time information
security professionals in more than 100 countries, with
nearly 40 percent employed by organizations with US$1
billion or more in annual revenue. Respondents came from
three major regions of the world: North, Central and South
America (57.3%), EMEA (Europe, Middle East, Africa) (22.8%)
and A-P (Asia-Pacific, including Japan) (19.5%), and
represent organizations of various sizes from both the
public and private sectors, different vertical industries,
and varying core competencies and skill sets from
organizations. Respondents typically had purchasing,
hiring and/or management responsibilities. Other
highlights from the 2006 study include:
-- IDC estimates the number of information security
professionals
worldwide in 2006 to be 1.5 million, an 8.1 percent
increase
over 2005. This figure is expected to increase to
slightly more
than 2 million by 2010, displaying a compound
annual growth rate
(CAGR) of 7.8 percent from 2005 to 2010. As a
comparison, the
projected growth in the number of IT employees
globally in the
same timeframe is 4.6 percent.
-- A-P presents the highest growth opportunities for
information
security professionals over other regions. IDC
estimates the
number of information security professionals in A-P
to grow from
458,844 to 733,943, representing CAGR of 9.8
percent from 2005
to 2010.The growth for 2005-2006 has been 10.6
percent.
-- A-P salaries have progressed and are starting to
come inline with
other regions of the world. For individuals
earning between
US$70,000 and $125,000, there was a 6.2 percent
positive
difference between 2005 and this year. On the
lower end of
the spectrum, security professionals in A-P earning
less than
US$40,000 still consist of more than 39 percent of
all
respondents in the region; however, this is seven
percent fewer
than last year, which was on par with 2004.
-- A-P tends to lag the US by approximately 18 months
when it comes
to information security market maturity, therefore,
A-P is now
experiencing above average growth that occurred in
the US four
to five years ago.
-- Common security technologies being implemented by
organizations
across all regions are biometrics, wireless
security, intrusion
prevention and forensics tools. Biometrics ranked
either No. 1
or 2 across all regions.
-- The area of information security risk management has
risen to the
top as a training priority in both the Americas and
EMEA and is
No. 2 in A-P. This will continue for the
foreseeable future as
organizations struggle to gain control over their
risk posture,
develop a flexible framework to quickly adapt to
new
environmental factors, and provide visibility into
their
greatest risks. Business continuity and forensics
are also
topics where professionals are looking to increase
their
knowledge base and sharpen their skills.
-- During the past 12 months, 67 percent of security
practitioners
believe their efforts were effective in influencing
management
and the business stakeholders to drive security
awareness and
responsibility to their organizations. Looking
forward to 2007,
73 percent believe that they will be able to drive
change in
their organizations.
-- Overall, organizations are spending a greater
percentage of their
information security budgets on personnel and
training in 2006
than in 2005. Organizations are spending more than
41 percent
of their security budgets, on average, on personnel
and training
to staff projects and support post-deployment
management.
-- The importance of information security
certifications as a hiring
criterion remained high with 85 percent of hiring
managers but
was down from a peak of 92 percent in 2004.
"IDC believes that the security professionals who
participated in this study are taking their message to the
masses and acting as 'change agents' within their
organizations to ensure information security is recognized
for its positive contributions to the business, as opposed
to the sunk cost it has been perceived to be in past
years," Carey said. "The message of people and
processes being absolutely crucial to effective information
security is finally starting to resonate with business
leaders."
"Security breaches that have made headlines during
the past year have been a result of human error, and this
year's Global Information Security Workforce Study further
validates the conventional wisdom long-held by information
security professionals that people are the critical
component of an effective information security
program," said Ed Zeitler, CISSP, executive director,
(ISC)2. "The fact that professionals are being heard
by the C-suite and security responsibility is being shared
across the organization demonstrates that the information
security profession has arrived and is being valued as an
indispensable business component."
"In regard to certification, this survey did not
differentiate between certifications that rely on a test
solely and those that require validated work experience,
continuing education, peer sponsorship and other
requirements generally associated with professional
certifications in other more established fields,"
added Zeitler. "We believe accredited certifications
that support management's need for professionals with
real-world experience and ongoing education are viewed more
favorably than certifications earned for passing a test
alone."
The 2006 Global Information Security Workforce Study
(IDC Doc # 203970, October 2006) was conducted by IDC on
behalf of (ISC)2 to provide detailed insight into important
trends and opportunities within the information security
profession. The study aims to provide a clearer
understanding of how professionals are compensated, how
their organizations view security, and next steps required
to advance information security careers and the profession.
To download a copy of the study, please visit
http://www.isc2.org/workforcestudy .
About (ISC)2
The International Information Systems Security
Certification Consortium "(ISC)2" is the premier
non-profit organization dedicated to certifying information
security professionals around the world. Founded in 1989,
(ISC)2 has certified over 45,000 information security
professionals in more than 120 countries. Based in Palm
Harbor, Florida, USA, with offices in Vienna, Virginia,
USA, London, Hong Kong and Tokyo, (ISC)2 issues the
Certified Information Systems Security Professional
(CISSP(R)) and related concentrations, Certification and
Accreditation Professional (CAPCM) and Systems Security
Certified Practitioner (SSCP(R)) credentials and related
concentrations to those meeting necessary competency
requirements. The CISSP, the CISSP-ISSEP(R) and SSCP(R)
are among the first information technology credentials to
meet the stringent requirements of ANSI/ISO/IEC Standard
17024, a global benchmark for assessing and certifying
personnel. (ISC)2 also offers a portfolio of educational
related products and services based upon (ISC)2's CBK(R), a
taxonomy of information security topics, and is responsible
for the (ISC)2 Global Information Security Workforce Study.
More information about (ISC)2 is available at
http://www.isc2.org .
(C) 2006, (ISC)2 Inc. (ISC)2 , CISSP, ISSEP, SSCP and
CBK are registered certification marks and CAP is a service
mark of (ISC)2 Inc.
Note to Editors:
For more information, please contact:
Kitty Chung
(ISC)2 Asia-Pacific
Tel: +852-3520-4001
Email: kchung@isc2.org
SOURCE (ISC)2 Inc.
PR
Post your Comment
広告
ブログ内検索
アーカイブ
カウンター