More IT Security Pros Filling Executive Roles
IT security professionals are being invited into corporate board rooms around the globe, wielding more influence and finding increased opportunities.
The 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium, or (ISC)2, found that more than 70 percent of respondents believe they exercised more influence on executives in 2005 than in the previous year. More than 73 percent expect their influence to continue growing.
"This year, professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management," Rolf Moulton, president and CEO of ISC said.
The number of information security professionals grew to 1.4 million worldwide in 2005, a 9% increase over 2004, says Sara Bohne, director of communications and constituent services at (ISC)2. That figure is projected to rise to 1.9 million by 2009, an 8.5% compounded annual growth rate since 2004.
Dialogue between corporate executives and IT professionals has evolved from technical security discussions to risk management strategies. That means information security professionals are being invited into boardrooms for discussions early in the process, rather than leaving out until the end, which increased costs and decreased control, Bohne said.
The change represents opportunity for mobility, both vertically and horizontally, among IT security professionals, said Howard Schmidt, former vice president and chief information security officer for eBay Inc., and former presidential cybersecurity advisor.
Schmidt, on the Board of Directors of the International Information Systems Security Certification, said he gets calls three or four times a month from companies that recently created executive positions in security.
"There's more attention and focus on IT security as a profession, as opposed to just a job," Schmidt said.
The factors giving information security professionals greater visibility are: the maturation of the certification process; the increasing mobility of the world's workforce and subsequent vulnerabilities; growing sophistication among hackers; more stringent regulations regarding data.
"A lot of companies are finding themselves being in better financial positions, freeing up funds for investments in staffing and security," Bohne said. "Now it's really being viewed as a business enabler. There are things that get CEOs' attention, like SOX and the threat of being thrown in jail for leaking your customers' information."
The IDC study, which culminated from the responses of 4,305 full-time information security professionals in more than 80 countries, showed that information security is most mature in the Americas.
Experience counts for something, but accreditation is helping build credibility in the information security field as well."Organizations are starting to realize that qualified information security people are just as important as technology," Bohne said. "It's similar choosing to a lawyer or doctor. You wouldn't entrust a trial to someone who hadn't passed their bar exam. You wouldn't entrust surgery to someone who hasn't gone to medical school."
With more IT security people entering board rooms, skill sets are also evolving. Bohne said companies are looking for people with business and management expertise as well as security know-how. Those are the kinds of people who can explain security decisions and expenses to shareholders, Bohne said.
The return on investment for security isn't very tangible, but executives and others are starting to realize the importance of spending in that area.
The average salary among respondents in the Americas is $96,500. In Asia-Pacific it is $46,695, and in the IDC study's broad-stretching region of Europe, the Middle East and Africa, it's $77,975.
Analyst and Program Manager Allan Carey said American IT security professionals should be protected from offshoring trends because companies like to keep security in-house for tight control.
Carey, who led the IDC study, said he doesn't see the demand slowing for at least five to 10 years.
"We'll reach a point where organizations reach a capacity or the required staff to fulfill the roles within their security teams and once they reach that comfort level, that's when you'll start to see the growth and new opportunities slow down, but from the research we've conducted, many managers of security say they still don't have enough resources to accomplish their goals. So, I don't think we've reached that equilibrium yet."
Schmidt agreed that companies haven't even scratched the surface in terms of filling needs in information technology, particularly in security. He said that it would be at least five years before the need for information security professionals becomes less urgent