Study: Information security field to grow steadily

WASHINGTON - The number of cybersecurity professionals is projected to grow at an annual compound rate of nearly 14 percent from now until 2008, according to a study released this week during the Computer Security Institute (CSI) trade show in Washington, D.C.

The Information Security Workforce Study, conducted by IDC for the International Information Systems Security Certification Consortium, or (ISC)2, projects that the number of information security professionals worldwide will be 2.1 million in 2008, up from 1.3 million currently.

The study's authors predict that information security jobs will grow at an annual compound rate of 13.7 percent worldwide, while the number of those jobs in the Asia/Pacific region will grow 18.3 percent a year through 2008, compared to a 5 percent to 7 percent growth in IT jobs in general.

Those numbers indicate that the U.S. is most advanced in dealing with information security and adopting security technologies, while companies in the Asia/Pacific region are trying to catch up, said Allan Carey, an IDC analyst and author of the study.

The survey of 5,371 full-time information security professionals in 80 countries also found that 97 percent of respondents had moderate to very high expectations for career growth. Security professionals have also experienced growth in job prospects, career advancement, higher base salaries and salary premiums for certification at faster rates than other areas of information technology, according to the study.

Billed as the first major global study of the information security profession, the IDC survey also found that 23 percent of respondents reported to bosses outside of the information technology division, such as chief executive officers and chief financial officers. Executive management titles such as chief information security officer and chief security officer made up more than 10 percent of respondents, although neither position existed 10 years ago, the study's authors noted.

The study seems to show progress in getting information security issues recognized outside the IT department, said James R. Wade, a member of the (ISC)2 board of directors. "It's beginning to be recognized more broadly as an enterprise-wide area," Wade said.

Businesses seem to be heeding calls for top executives to get involved in information security, Carey added. "Security is being more ingrained within the business and within daily operations," Carey said. "It's not just a technology solution any more -- you can't just throw a firewall in ... and the problem's solved. You have to address security from a people, processes and technology standpoint in order to really have a successful security strategy in place."

The study also found that in-house information security workers aren't just for major corporations, Wade said. Twenty-one percent of respondents were from companies with less than $10 million in annual revenue, and 17 percent of respondents were from companies with fewer than 100 employees. "What this is saying to us is that information security belongs in all organizations, regardless of size," Wade said.

Sixty-five percent of respondents were from companies with more than 1,000 employees. A survey was conducted earlier this year through a Web-based portal, with traffic driven to the site through the use of e-mail solicitations to 40,000 professionals worldwide.

To request a copy of the study, interested parties should e-mail gwsstudy@isc2.org.