Regulations and a better understanding of reputational
risk are driving growth in the number of information security
professionals, according to a report by global IT security
standards body(ISC)2
, which will be published next week.
The Global Information Security Workforce Study said the number
of infosec professionals worldwide was likely to rise from 1.6
million this year to 2.7 million by 2012.
John Colley, managing director of (ISC)2 for EMEA, said
security professionals are also being paid more with the more
qualified of these earning more. "The average salary of an
information security worker is £37,000 a year, but with a
certificate, this jumps to £47,000 a year," Colley said. "In the
EMEA region, the premium companies are paying for a certified
professional is at least 30%."
Colley said demand for certificated information security
professionals was driven by Sarbanes-Oxley legislation in the US,
which can make directors liable for fraud, and by the Payment Card
Industry's Data Security Standard PCI DSS, which means business
must protect customer details once collected through payments.
He said the next 18 months are likely to show greater demand for
certificated information security professionals. "There are not
enough of them, so I expect the experienced professionals to
support the less experienced, especially in developing markets like
Nigeria and South Africa, and maturing markets such as the Middle
East and Eastern Europe," he said.
Colley said the survey showed a switch from protecting the
corporate network to protecting the corporate data. "Two-thirds of
the 6,500 certified information security professionals we asked
said they were using cryptography, and 65% said they were applying
database security measures," he said.
"The most widespread technologies in use are firewalls (92%),
physical security (79%), intrusion detection (78%) and identity and
access control (73%).
"This shows that most companies have got good perimeter
security, and more are using cryptography as a result of PCI
DSS."
Colley said cryptography was easy to adopt but harder to manage.
"With more mobility in the workforce, it makes sense to use
encryption to protect company information. It is relatively easy to
encrypt laptop computers and
Blackberries, but smartphones and USB devices are more
vulnerable," he said.
He said companies are having to think carefully about working
with mobile devices. "They are just so useful," he said. "Just as
information security professionals had to get used to working with
SMS and dial-up access, they and their employers are going to have
to come to terms with other mobile systems. People are going to use
them anyway, so they have to raise security awareness throughout
the company, and especially in the boardroom."
This would help firms avoid data breaches such as those suffered
by TJX, Hannford and HM Revenue & Customs, he said. "Companies
risk losing their reputation for trustworthiness and probity, not
because their systems are breached, but by how they handle the
breach," Colley said. "An open, honest, fast and complete response
is what people want to see. Anything else and their reputation will
suffer."
There was no reason why smaller firms should be disadvantaged by
regulations such as PCI DSS, Colley said. Large firms often change
software, he said. This meant that each there was an update they
had to test it for compatibility with the existing system before
they rolled it out as a working system. "SMEs can and should be all
right with off-the-shelf applications," he said.