Security hits the business agenda

ISC2 survey highlights the growing importance of information security as a business enabler

The risk of corporate reputation damage is raising the profile of information security in organisations, according to a new global survey by security certifications organisation ISC2, launched yesterday at Infosec.

The annual Global Information Security Workforce Study of over 7,500 security professionals reveals that avoiding damage to the organisation's reputation is viewed as a top priority by 71 per cent. A further 70 per cent said protecting customer data was a top priority, while 61 per cent said the risk of breaching laws and regulations was a driver for information security governance.

Reflecting the growing importance of security to the business, the number of security professionals reporting to executive management has increased to 33 per cent, compared to 21 per cent four years ago.

Eighty per cent of survey respondents also rated communications skills as important or very important to the success of their role, while over two-thirds said business skills were important.

"It looks like information security is at long last being recognised by the business," said John Colley, European managing director of ISC2. "There are a lot of parallels between security and what happened in IT over the last 40 years. Security is going through that same evolution [towards being a business enabler] but in a much shorter period of time."

Experience levels are also rising in the industry, the report found, with an average of just over eight years across Europe, the Middle East and Africa. This region also had the highest number of professionals with masters and PHD qualifications.

"This is a profession where a lot is based on judgement – not just technical issues," said Colley. "The higher up the chain you go the more the qualification of preference is the MBA, which reflects the fact that firms are looking for information security leaders who are also business leaders."

Security awareness was also noted as a major factor in effective information security management. Users following security policies was found to be the most important factor in the ability of respondents to protect their organisations.