European information security specialists 'justifying existence'

European information security specialists 'justifying existence'

Summary: IT Security professionals think they are becoming more influential according to the latest study from RSA

TOPICS: Security

Information security professionals in Europe spend most of their time justifying their existence to upper management instead of implementing security procedures, according to a study announced on Monday.

The European results for the International Information Systems Security Certification Consortium — a not-for-profit security training company which styles itself (ISC)² — Global Information Security Workforce Study show that a quarter (25.4 percent) of respondents feel they spent most of their working day on "internal politics, gathering metrics to justify spending, or selling security to upper management."

"It is surprising that professionals whose main responsibility is security spend so much time justifying their existence. Once information security is recognised as a profession, specialists will hopefully be seen as an integral part of the business," said Sarah Bohne, director of communications and constituent services for (ISC)².

Although security specialists feel embroiled in politics, most think their influence is growing. 73.1 percent of respondents said their level of influence has increased over the last 12 months, and 33.4 percent felt their influence had "increased significantly."

Most IT security professionals think their influence will increase in the future. 78 percent expected their influence to increase over the coming year, while 37 percent expected their influence to "increase significantly".

Information security is becoming more demanding, as the skills involved become more complex and managerial, according to Bohne. "We advocate building softer skills such as managing budgets and people. [Security professionals] now have to have people skills."

Compliance was a major training need in the past year, the report says, and the number one "hot area" for training was ISO/IEC 17799 Code of Practice for Information Security Management. Information risk management; business continuity and disaster recovery planning; and security management practices were second, third and fourth most popular. Forensics was at number five. "My hypothesis is that forensics is sexier than other options. There's a lot of hype around it at the moment," Bohne said.

Certification is a good indicator of increasing expectations of professionalism, claims Bohne. "What is interesting is that certification is a good barometer of professional recognition. 23.3 percent of hiring managers cited company policy specifying information security certification when hiring. This shows the growing acceptance of information security as a profession," according to Bohne.

Out of 595 respondents, the majority were security consultants, with 29 percent IT directors or managers. 7 percent of the respondents were chief information or security officers.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Im my humble opinion certification is what gets you in and experience, skills, etc is what keeps you in.

    As such (PR) managers are well advised to look beyond just certification.
  • If infosec professionals are having to justify their existence because management has finally noticed them, that's good news. Management are supposed to care about IT, and about the security of the organization's data; they're also supposed to care about achieving their business objectives. Unfortunately, though, infosec professionals forget all too often about the latter - and being forced to justify their existence in business terms means that they have a real opportunity to be around for the long term as key business contributors - let's hope that they seize the day.