News

Information Security Set for Explosive Growth

• By David Nagel
• 04/23/2008

Worldwide, the number of information security professionals will grow from 1.66 million in 2007 to about 2.7 million in 2012, experiencing a compound annual growth rate of 10 percent.

As a percentage, the bulk of this growth, according to the report, will happen in Europe, the Middle East and Africa (13 percent collectively). However, the Americas, at a 10 percent CAGR, dominate in raw numbers, growing from 685,700 in 2007 to a little more than 1.1 million in 2012. The Asia-Pacific region will see the slowest compound annual growth of the three major regions, at 8 percent.

The report, entitled "The 2008 (ISC)² Information Security Workforce Study," polled 7,548 respondents from both the public sector and the private sector in fall 2007. It showed that the factors driving growth in information security include:

• Regulatory compliance initiatives that place responsibility on executives.
• Organizations' needs to prevent damage to reputation (i.e., maintaining public confidence).
• Tangible financial costs for failing to meet regulatory requirements.

On this last one, Frost & Sullivan estimated that the cost any data breach runs anywhere from $50 to $200 per record lost, not including intangible losses resulting from damage to an organization's reputation.

Security Technologies: Deployments
Within the information security industry, two clear winners emerged in terms of the categories of technologies expected to be deployed worldwide within the next 12 months: wireless security solutions (15 percent) and biometrics (14 percent). In the Americas, biometrics ranked at No. 1, with wireless security coming in at No. 2.

Beyond these, intrusion detection and disaster recovery/business continuity tied at 12 percent. At 11 percent each were storage security and cryptography. (Storage security did not make the top 5 in the Americas.)

At the 10 percent level were:

• Intrusion prevention.
• Risk management solutions.
• Vulnerability assessment and penetration testing.
• Incident management.

At the 9 percent response level were:

• Identity and access management.
• Security event or information management.
• Vulnerability management.
• SIM (Security Information Management).
• Problem management.

And, at the lowest tier of the top-21 technologies scheduled for deployment, at 8 percent, were:

• Compliance management.
• Configuration management.
• Database security.
• Web application security.
• SIEM (Security Information and Event Management).
• Change management.

Security Training
And in order to support these technologies and the security goals they represent, training for information security professionals in expected to increase in the next 12 months. Around the world, 56 percent of respondents reported that they expect spending on training to increase in the coming year. The Americas saw the highest response in this area, at 58 percent. Globally, only 4 percent of respondents said they expected decreases in spending on information security training, with the lowest figure in the Americas, at 2 percent.

The top 5 areas in which respondents indicated the need for training was greatest included security administration (50 percent), applications and system development security (35 percent), telecommunications and network security (31 percent), access control systems and methodology (30 percent), and business continuity and disaster recovery planning (29 percent).

Forty percent of respondents indicated that they personally expect to acquire additional certifications within the next 12 months.

Users: Oh, Yeah...Them
Respondents indicated, however, that users are the greatest problem facing information security, with a full 80 percent reporting that users following security policy is important (32 percent) or very important (48 percent) to overall security within an organization. In fact, security policy issues with users, management, and security personnel beat out all other categories in terms of perceived importance, including software solutions, hardware solutions and even hiring qualified security staff.

The study did not poll information security professionals on their attitudes toward providing service to users within an organization. However, there was one area that touched on user needs, and that was in the area of training for security professionals in privacy. This ranked lowest among all cited areas of training, with only 25 percent of respondents citing the need for privacy training.

The report concluded:

"Information security is a global, cross-vertical, organization-wide concern that cannot be addressed with technology solutions alone. It requires the unconditional commitment of an organization at the financial, management, and operational levels to proactively secure and protect the organization's logical and physical assets. Security management will always require the proper balance between people, policies, processes, and technology to effectively mitigate the risks associated with today's digitally connected business environment."

Further information about the study, including a link to the full report, can be found here.