The need to comply with a growing number of regulations and IT-based threats to business continuity is fuelling demand for IT risk managers and is driving up salaries, a survey by security training body (ISC)2 has revealed.
Commenting on the results of the third survey of employment trends in information security, which canvassed more than 4,000 respondents around the world (ISC)2 director John Colley said accountability for information security was shifting to specialist functions.
Two years ago, responsibility for risk security was in the hands of the chief security officer (CSO) in 25% of firms, he said. This has grown to 30% of firms, and the job has been split between the CSO and the chief information security officer (CISO), with a new job title, chief risk officer (CRO), appearing.
Colley said CIOs and chief technical officers were still largely responsible for securing the technology, but their role in ultimate accountability was diminishing as boards and other executives assumed more responsibility.
"Infosecurity is no longer an ivory tower issue," Colley said. "It is now a key function that is critical in protecting the bottom line."
Analysis of information security budgets in the Europe, Middle East and Africa region revealed that about half had increased their spending by more than 20% in the past year.
Much of the new money has been spent on staff. These represent about 31% of an average £2.2m budget for security in 2006.
This focus on people is reflected in the priorities reported to (ISC)2, with finding qualified staff reported to be one of the top three priorities for 81% of respondents.
Management support of security policies was the top priority for 43% of respondents, and user take-up of security policies was second with 34%.
Colley said 42% of respondents were looking for training in infosecurity risk management. About 40% want training in business continuity, disaster recovery and meeting ISO and IEC 17799 standards.
Demand for forensic training is rising, but respondents were confident in their ability to control access to data.
Comment on this article: firstname.lastname@example.org