The (ISC)2/IDC 2004 Global Information Security Workforce Study was conducted by IDC on behalf of the consortium to provide comprehensive, meaningful research data for the first time about the information security profession to professionals, corporations, government agencies, (ISC)2 constituents, academia and others.
IDC analyzed responses from 5,371 full-time information security professionals in more than 80 countries worldwide that had purchasing, hiring and/or management responsibilities, with nearly half employed by organizations with $1 billion or more in annual revenue. Highlights include:
- Based on primary and secondary IDC research, IDC estimates the number of information security professionals worldwide currently to be 1.3 million, a 14.5 percent increase over 2003
- The number of professionals is expected to increase to 2.1 million by 2008 at a compounded annual growth rate (CAGR) of 13.7 percent from 2003. The Asia Pacific region is expected to grow at a faster CAGR of 18.3 percent during the same period.
- Over 97 percent of respondents had moderate to very high expectations for career growth.
- Security professionals have experienced growth in job prospects, career advancement, higher base salaries, and salary premiums for certification at faster rates than other areas of information technology.
- Information security managers believe continuing education and certification are important to the profession, with strong business acumen becoming an essential ingredient for professional success.
According to Allan Carey, the IDC analyst who led the study, government regulations, new technologies and a dynamic threat environment are driving the growth of the profession.
"With competing demands on industry and government to expand access to services and information, the highly trained and experienced information security professional must now be an active participant to fulfill stringent regulatory requirements and provide proactive solutions to circumvent emerging risks," Carey said. "Organizations are beginning to understand that it's the people, processes, policies and technology that create effective security, not technology solutions alone."
"The study shows a shift in the information security profession, indicating that business acumen is now often required along with technology proficiency," Carey said. "This widening responsibility means information security professionals not only have to receive a constant refresh of the best security knowledge but also must acquire a solid understanding of business processes and risk management to be successful in their roles."
The study was conducted via a Web-based portal in the late spring/early summer of 2004, with e-mail notifications sent to 40,000 professionals worldwide to obtain leading market indicators in the profession. The respondent profile showed:
- More than 65 percent of responding organizations had more than 1,000 employees.
- A majority represented sectors with "mission-critical" security needs such as governments and telecommunications, healthcare and financial services firms.
- Executive management titles such as Chief Information Security Officer (CISO) and Chief Security Officer (CSO) made up more than 10 percent of respondents, positions that did not exist 10 years ago.
To request a copy of the study, interested parties should e-mail wkfstudy@isc2.org. In addition to the study released today, specific data on information security professionals in the U.S. federal government will be released by the end of the year.
