Security pros gain ground in the board room

Executives are paying more attention to their IT security managers and taking more responsibility for online threats against their companies, according to a new study.

NEW YORK -- It pays to be a security professional these days, especially if you have one or more certifications under your belt. That's because corporate executives are paying more attention to their security managers in the face of growing online threats.

Framingham, Mass.-based research group IDC reached that conclusion in its 2005 Global Information Security Workforce Study, conducted on behalf of the Palm Harbor, Fla.-based International Information Systems Security Certification Consortium (ISC)⊃2;. Rolf Moulton, president and CEO of (ISC)⊃2;, unveiled the findings Wednesday at the Infosecurity Conference & Exhibition.

"Priorities are changing," Moulton said. "We can finally say security is being seen as an enabler -- part of the business process. We see security budgets increasing. We see that [companies] are investing more to educate staff. We see more CEOs taking responsibility" for security threats.

For more information

Pre-CISSP: Options for the security newbie

CISSP vs. CCISP creating confusion for certification holders

IDC surveyed 4,305 full-time information security professionals in more than 80 countries, and 73% said they expect their influence with executives and the board of directors to increase in the next year. Dialogue among corporate executives and IT security professionals has evolved from a technical security discussion to one of risk management strategies, Moulton said, adding, "This demonstrates that the competency of information security professionals is being recognized as the key to an effective security strategy."

Meanwhile:

  • Nearly 21% of respondents said their CEO is taking ultimate responsibility for security, up from 12% in 2004. Those saying that the board of directors is now ultimately responsible for security rose nearly 6% from 2.5% last year.
  • For the CIO, security accountability dropped to about 30.5% from approximately 38% in 2004, and rose to 24% from 21% in 2004 for CISO/CSOs.
  • Respondents said their companies spend more than 43% of their IT security budgets on personnel, education and training, and expect that to rise considerably in the next year.
  • Professionals said there's growing interest in training for business continuity (50.5%), forensics (50.3%) and risk management (48%), all of which factored higher than the demand indicated in 2004.
  • More than 60% said they plan to acquire at least one information security certification in the next year.
  • IDC estimates the number of security professionals worldwide in 2005 to be 1.4 million, a 9% increase over 2004. The figure is expected to rise to more than 1.9 million by 2009, representing a compounded annual growth rate of 8.5% from 2004 to 2009.

At Wednesday's press conference, Moulton said managers are increasingly interested in hiring certified workers because it indicates more competence and better work quality. They also believe certified workers will have a better grasp on company policy and regulatory compliance.

The findings also showed that hiring managers want people with expertise in wireless security (35%), identity and access management (32%), security event or information management (31%) and intrusion prevention systems (31%), among other things.

Read more on IT risk management