​

THE STATURE OF information security professionals within the organization is growing, thanks to proactive risk management approaches, legislative requirements, and the complexity of the systems they manage. That’s a conclusion from research conducted by IDC on behalf of (ISC)2, the International Information Systems Security Certification Consortium.

The survey of 4,305 information security professionals (including chief information security officers, chief security officers, and security consultants) from companies large and small across the world notes the ever-increasing number of responsibilities of these security workers. In addition to their daily responsibilities, these security workers must now spend “a disproportionate amount of time and resources researching and implementing new technologies, demonstrating regulatory compliance, and addressing internal political issues.”

As business enablers rather than cost centers, IT security now “must compete with other business groups for scarce resources such as staff and budget.”

Howard Schmidt, former vice chair of President Bush’s Critical Infrastructure Protection Board and now head of his own firm, R&H Security Consulting, says that the survey results provide hard evidence that the importance of security professionals is finally being recognized.

Companies have realized that security professionals are not simply the people to be called when something goes wrong, says Schmidt; the new attitude, he says, is, “They’ve got to be at the table with us as we start developing the strategic plans and the business plans.”

Schmidt also notes that the results of the recent Convergence of Enterprise Security Organizations conducted by Booz Allen Hamilton for ASIS International indicate that many companies have taken this lesson to heart and adopted an enterprisewide view of risk, and the (ISC)2 survey results back this up. “It’s the same thing a number of us have been saying for a number of years, but now there’s some good empirical data that supports that.”