Regulations and a better understanding of reputational risk are driving growth in the number of information security professionals, according to a report by global IT security standards body (ISC)2, which will be published next week.
The Global Information Security Workforce Study said the number of infosec professionals worldwide was likely to rise from 1.6 million this year to 2.7 million by 2012.
John Colley, managing director of (ISC)2 for EMEA, said security professionals are also being paid more with the more qualified of these earning more. "The average salary of an information security worker is £37,000 a year, but with a certificate, this jumps to £47,000 a year," Colley said. "In the EMEA region, the premium companies are paying for a certified professional is at least 30%."
Colley said demand for certificated information security professionals was driven by Sarbanes-Oxley legislation in the US, which can make directors liable for fraud, and by the Payment Card Industry's Data Security Standard PCI DSS, which means business must protect customer details once collected through payments.
He said the next 18 months are likely to show greater demand for certificated information security professionals. "There are not enough of them, so I expect the experienced professionals to support the less experienced, especially in developing markets like Nigeria and South Africa, and maturing markets such as the Middle East and Eastern Europe," he said.
Colley said the survey showed a switch from protecting the corporate network to protecting the corporate data. "Two-thirds of the 6,500 certified information security professionals we asked said they were using cryptography, and 65% said they were applying database security measures," he said.
"The most widespread technologies in use are firewalls (92%), physical security (79%), intrusion detection (78%) and identity and access control (73%).
"This shows that most companies have got good perimeter security, and more are using cryptography as a result of PCI DSS."
Colley said cryptography was easy to adopt but harder to manage. "With more mobility in the workforce, it makes sense to use encryption to protect company information. It is relatively easy to encrypt laptop computers and Blackberries, but smartphones and USB devices are more vulnerable," he said.
He said companies are having to think carefully about working with mobile devices. "They are just so useful," he said. "Just as information security professionals had to get used to working with SMS and dial-up access, they and their employers are going to have to come to terms with other mobile systems. People are going to use them anyway, so they have to raise security awareness throughout the company, and especially in the boardroom."
This would help firms avoid data breaches such as those suffered by TJX, Hannford and HM Revenue & Customs, he said. "Companies risk losing their reputation for trustworthiness and probity, not because their systems are breached, but by how they handle the breach," Colley said. "An open, honest, fast and complete response is what people want to see. Anything else and their reputation will suffer."
There was no reason why smaller firms should be disadvantaged by regulations such as PCI DSS, Colley said. Large firms often change software, he said. This meant that each there was an update they had to test it for compatibility with the existing system before they rolled it out as a working system. "SMEs can and should be all right with off-the-shelf applications," he said.