Information security professionals, already experiencing a surge in demand for their badly needed technical skills, may also get a chance this year to flex their business acumen.
IT security professionals are being invited into corporate board rooms around the globe, wielding more influence and finding increased opportunities.
The 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium, or (ISC)2, found that more than 70 percent of respondents believe they exercised more influence on executives in 2005 than in the previous year. More than 73 percent expect their influence to continue growing.
"This year, professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management," said Rolf Moulton, president and CEO of ISC.
The number of information security professionals has grown to 1.9 million worldwide, a 9 percent increase over last year, according to Sara Bohne, director of communications and constituent services for (ISC)2. That figure is projected to rise to 1.9 million by 2009, representing an 8.5 percent compounded annual growth rate.
Dialogue between corporate executives and IT professionals has evolved from technical security discussions to risk management strategies. That means information security professionals are being invited into boardrooms for discussions early in the process, rather than being left out until the end, which increased costs and decreased control, Bohne said.
The change represents opportunity for mobility, both vertically and horizontally, among IT security professionals, said Howard Schmidt, vice president and chief information security officer for eBay Inc. and former presidential cybersecurity advisor.
Schmidt, on the Board of Directors of the International Information Systems Security Certification, said he gets calls three or four times a month from companies that recently created executive positions in security.
"There's more attention and focus on IT security as a profession, as opposed to just a job," Schmidt said.
The factors giving information security professionals greater visibility are: the maturation of the certification process; the increasing mobility of the world's workforce and subsequent vulnerabilities; growing sophistication among hackers; more stringent regulations regarding data.
"A lot of companies are finding themselves being in better financial positions, freeing up funds for investments in staffing and security," Bohne said. "Now it's really being viewed as a business enabler. There are things that get CEOs' attention, like SOX and the threat of being thrown in jail for leaking your customers' information."
The IDC study, which culminated from the responses of 4,305 full-time information security professionals in more than 80 countries, showed that information security is most mature in the Americas.
Experience counts for something, but accreditation is helping build credibility in the information security field as well.
"Organizations are starting to realize that qualified information security people are just as important as technology," Bohne said. "It's similar to choosing a lawyer or doctor. You wouldn't entrust a trial to someone who hadn't passed their bar exam. You wouldn't entrust surgery to someone who hasn't gone to medical school."
With more IT security people entering board rooms, skill sets are also evolving. According to Bohne, companies are looking for people with business and management expertise as well as security know-how. Those are the kinds of people who can explain security decisions and expenses to shareholders, Bohne said.
The return on investment for security isn't very tangible, but executives and others are starting to realize the importance of spending in that area.
The average salary among respondents in the Americas is $96,500. In Asia-Pacific it is $46,695, and in the IDC study's broad-stretching region of Europe, the Middle East and Africa, it's $77,975.
Analyst and Program Manager Allan Carey said American IT security professionals should be protected from offshoring trends because companies like to keep security in-house for tight control.
Carey, who led the IDC study, said he doesn't see the demand slowing for at least five to 10 years.
"We'll reach a point where organizations reach a capacity for the required staff to fulfill the roles within their security teams, and, once they reach that comfort level, that's when you'll start to see the growth and new opportunities slow down," says Carey. "But from the research we've conducted, many managers of security say they still don't have enough resources to accomplish their goals. So, I don't think we've reached that equilibrium yet."
Schmidt agreed that companies haven't even scratched the surface in terms of filling needs in information technology, particularly in security. He said that it would be at least five years before the need for information security professionals becomes less urgent.
Editor's Note: This article first appeared at TechWeb News, a sister publication of Insurance & Technology.
On The Net