European information security specialists 'justifying existence'

Information security professionals in Europe spend most of their time justifying their existence to upper management instead of implementing security procedures, according to a study announced on Monday.

The European results for the International Information Systems Security Certification Consortium — a not-for-profit security training company which styles itself (ISC)² — Global Information Security Workforce Study show that a quarter (25.4 percent) of respondents feel they spent most of their working day on "internal politics, gathering metrics to justify spending, or selling security to upper management."

"It is surprising that professionals whose main responsibility is security spend so much time justifying their existence. Once information security is recognised as a profession, specialists will hopefully be seen as an integral part of the business," said Sarah Bohne, director of communications and constituent services for (ISC)².

Although security specialists feel embroiled in politics, most think their influence is growing. 73.1 percent of respondents said their level of influence has increased over the last 12 months, and 33.4 percent felt their influence had "increased significantly."

Most IT security professionals think their influence will increase in the future. 78 percent expected their influence to increase over the coming year, while 37 percent expected their influence to "increase significantly".

Information security is becoming more demanding, as the skills involved become more complex and managerial, according to Bohne. "We advocate building softer skills such as managing budgets and people. [Security professionals] now have to have people skills."

Compliance was a major training need in the past year, the report says, and the number one "hot area" for training was ISO/IEC 17799 Code of Practice for Information Security Management. Information risk management; business continuity and disaster recovery planning; and security management practices were second, third and fourth most popular. Forensics was at number five. "My hypothesis is that forensics is sexier than other options. There's a lot of hype around it at the moment," Bohne said.

Certification is a good indicator of increasing expectations of professionalism, claims Bohne. "What is interesting is that certification is a good barometer of professional recognition. 23.3 percent of hiring managers cited company policy specifying information security certification when hiring. This shows the growing acceptance of information security as a profession," according to Bohne.

Out of 595 respondents, the majority were security consultants, with 29 percent IT directors or managers. 7 percent of the respondents were chief information or security officers.