HONG KONG, Dec. 9--Xinhua-PRNewswire-AsiaNet/InfoQuest Boards of Directors, CEOs and CISOs/CSOs are More Accountable for Information Security and Risk Management Strategies The International Information Systems Security Certification Consortium [(ISC)2(R)], the non-profit international leader in educating and certifying information security professionals worldwide and currently celebrating the Year of the Information Security Professional, today announced the results of the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by (ISC)2. Results revealed the profession continued to mature and ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their company's information security. IDC expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. The study also found that security is becoming operationalized within organizations as they attempt to align their business and security strategies with the goal of establishing a comprehensive information risk management program. The majority of respondents -- 73% -- expects their influence with executives and the board of directors to increase in the coming 12 months, as dialogue between corporate executives and information security professionals has evolved from a technical security discussion to one of risk management strategies. "This year, professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management," said Rolf Moulton, CISSP-ISSMP, president and CEO (interim) of (ISC)2. "This demonstrates that the competency of information security professionals is being recognized as the key to an effective security strategy." IDC analyzed responses from 4,305 full-time information security professionals in more than 80 countries worldwide that had purchasing, hiring and/or management responsibilities, with nearly half employed by organizations with US$1 billion or more in annual revenue. Respondents represent organizations of various sizes from both public and private sectors, different vertical industries, and varying core competencies and skill sets from organizations around the world. Highlights from the 2005 report include: -- Nearly 21% of respondents, up from 12% in 2004, say their CEO is now ultimately responsible for security, while those saying that the board of directors is now ultimately responsible for security rose nearly 6% from 2.5% in 2004. For the CIO, security accountability dropped to about 30.5%, from approximately 38% in 2004 and rose to 24% from 21% in 2004 for CISO/CSOs. -- Organizations spend on average more than 43% of their IT security budgets on personnel, education and training. Overall, respondents are anticipating their level of education and training to increase by 22% over the coming year. Professionals in the Asia-Pacific region were more optimistic, with approximately 40% expecting increased levels of security training and education. -- Professionals are looking for additional training in business continuity (50.5%), forensics (50.3%), and risk management (48%), all of which factored higher than the demand indicated in 2004. Further, more than 60% of respondents indicated that it was their intention to acquire at least one information security certification within the next 12 months. -- Earnings are generally stable compared to 2004. An increase of 4% was reported from respondents in the Americas and in the Asia-Pacific region, with respondents earning less than US $30,000 rose from 24% last year to more than 26.5%. -- The information security workforce in the Americas appears to be the most mature globally, with 46.6% having more than 10 years of experience, compared to 33.9% in Europe. Within the Asia-Pacific region, less than 25% of information security professionals have yet to be in the profession for more than 10 years. "This year's study shows that information security has become a critical component of the enterprise. Complex security solutions, regulatory requirements and encroaching threat advances are driving organizations to entrench security strategies and policies and rely on highly educated, highly qualified professionals who must perform an ever-growing list of activities such as threat mitigation, compliance auditing, and proactive security management and monitoring," said Allan Carey, the IDC analyst who led the study. The market outlook remains positive for individuals seeking to work in the information security field. IDC estimates the number of security professionals worldwide in 2005 to be 1.4 million, a 9% increase over 2004. This figure is expected to increase to more than 1.9 million by 2009, representing a compounded annual growth rate of 8.5% from 2004 to 2009. The 2005 Global Information Security Workforce Study was conducted by IDC on behalf of (ISC)2 to provide detailed insight into important trends and opportunities within the information security profession. To download a copy of the study, please visit www.isc2.org/workforcestudy . About (ISC)2 The International Information Systems Security Certification Consortium [(ISC)2] is the premier non-profit organization dedicated to certifying information security professionals around the world. Founded in 1989, (ISC)2 has certified over 40,000 information security professionals inn more than 100 countries. Based in Palm Harbor, Florida, USA, with offices in Vienna, Virginia, USA, London, Hong Kong and Tokyo, (ISC)2 issues the Certified Information Systems Security Professional (CISSP(R)), Certification and Accreditation Professional CAPCM) and Systems Security Certified Practitioner (SSCP(R)) credentials and related concentrations to those meeting necessary competency requirements. The CISSP, the Gold Standard in information security certifications, is the first information technology credential to meet the stringent requirements of ANSI under ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. ISC)2 also offers a portfolio of educational related products and services based upon (ISC)2's CBK(R), a compendium of industry best practices for information security professionals, and is responsible for the (ISC)2 Global Information Security Workforce Study. More information about (ISC)2 is available at www.isc2.org . To request a copy of this study, or arrange local spokesperson for interview, please contact: Kitty Chung (ISC)2 Asia-Pacific Tel: +852-3520-4001 Email: [email protected] SOURCE International Information Systems Security Certification Consortium --Distributed by AsiaNet (www.asianetnews.net)--