News
Information Security Set for Explosive Growth
- By David Nagel
- April 23, 2008
Driven by compliance and public confidence issues, information security is
expected to expand dramatically over the next few years, according to new research
released by
Frost & Sullivan
and
(ISC)².
Worldwide, the number of information security professionals will grow from
1.66 million in 2007 to about 2.7 million in 2012, experiencing a compound annual
growth rate of 10 percent.
As a percentage, the bulk of this growth, according to the report, will happen
in Europe, the Middle East and Africa (13 percent collectively). However, the
Americas, at a 10 percent CAGR, dominate in raw numbers, growing from 685,700
in 2007 to a little more than 1.1 million in 2012. The Asia-Pacific region will
see the slowest compound annual growth of the three major regions, at 8 percent.
The report, entitled "The 2008 (ISC)² Information Security Workforce
Study," polled 7,548 respondents from both the public sector and the private
sector in fall 2007. It showed that the factors driving growth in information
security include:
- Regulatory compliance initiatives that place responsibility on executives.
- Organizations' needs to prevent damage to reputation (i.e., maintaining
public confidence).
- Tangible financial costs for failing to meet regulatory requirements.
On this last one, Frost & Sullivan estimated that the cost any data breach
runs anywhere from $50 to $200 per record lost, not including intangible
losses resulting from damage to an organization's reputation.
Security Technologies: Deployments
Within the information security industry, two clear winners emerged in terms
of the categories of technologies expected to be deployed worldwide within the
next 12 months: wireless security solutions (15 percent) and biometrics (14
percent). In the Americas, biometrics ranked at No. 1, with wireless security
coming in at No. 2.
Beyond these, intrusion detection and disaster recovery/business continuity
tied at 12 percent. At 11 percent each were storage security and cryptography.
(Storage security did not make the top 5 in the Americas.)
At the 10 percent level were:
- Intrusion prevention.
- Risk management solutions.
- Vulnerability assessment and penetration testing.
- Incident management.
At the 9 percent response level were:
- Identity and access management.
- Security event or information management.
- Vulnerability management.
- SIM (Security Information Management).
- Problem management.
And, at the lowest tier of the top-21 technologies scheduled for deployment,
at 8 percent, were:
- Compliance management.
- Configuration management.
- Database security.
- Web application security.
- SIEM (Security Information and Event Management).
- Change management.
Security Training
And in order to support these technologies and the security goals they represent,
training for information security professionals in expected to increase in the
next 12 months. Around the world, 56 percent of respondents reported that they
expect spending on training to increase in the coming year. The Americas saw
the highest response in this area, at 58 percent. Globally, only 4 percent of
respondents said they expected decreases in spending on information security
training, with the lowest figure in the Americas, at 2 percent.
The top 5 areas in which respondents indicated the need for training was greatest
included security administration (50 percent), applications and system development
security (35 percent), telecommunications and network security (31 percent),
access control systems and methodology (30 percent), and business continuity
and disaster recovery planning (29 percent).
Forty percent of respondents indicated that they personally expect to acquire
additional certifications within the next 12 months.
Users: Oh, Yeah...Them
Respondents indicated, however, that users are the greatest problem facing information
security, with a full 80 percent reporting that users following security policy
is important (32 percent) or very important (48 percent) to overall security
within an organization. In fact, security policy issues with users, management,
and security personnel beat out all other categories in terms of perceived importance,
including software solutions, hardware solutions and even hiring qualified security
staff.
The study did not poll information security professionals on their attitudes
toward providing service to users within an organization. However, there was
one area that touched on user needs, and that was in the area of training for
security professionals in privacy. This ranked lowest among all cited areas
of training, with only 25 percent of respondents citing the need for privacy
training.
The report concluded:
"Information security is a global, cross-vertical, organization-wide
concern that cannot be addressed with technology solutions alone. It requires
the unconditional commitment of an organization at the financial, management,
and operational levels to proactively secure and protect the organization's
logical and physical assets. Security management will always require the proper
balance between people, policies, processes, and technology to effectively
mitigate the risks associated with today's digitally connected business environment."
Further information about the study, including a link to the full report, can
be found here.
About the Author
Dave Nagel is the executive editor for 1105 Media's educational technology online publications and electronic newsletters.