information security career progression survey results

INFORMATION SECURITYCAREER PROGRESSION

S U R V E Y R E S U LTS

Information Security Career Progression Survey Results

ISACA®

With more than 75,000 members in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, securityand assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, and develops internationalinformation systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®) designation,earned by more than 60,000 professionals since 1978; the Certified Information Security Manager® (CISM®) designation, earned by more than 9,000professionals since 2002; and the new Certified in the Governance of Enterprise ITTM (CGEITTM) designation.

DisclaimerISACA has designed and created this publication, titled Information Security Career Progression Survey Results (the “Work”), primarily as an educationalresource for information security managers. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not beconsidered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed toobtaining the same results. In determining the propriety of any specific information, procedure or test, control professionals should apply their ownprofessional judgment to the specific circumstances presented by the particular systems or information technology environment.

Disclosure© 2008 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval systemor transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA.Reproduction of selections of this publication is solely permitted for academic, internal and noncommercial use and for consulting/advisory engagements,and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] site: www.isaca.org

Information Security Career Progression Survey ResultsPrinted in the United States of America

2 © 2 0 0 8 I S A C A . A L L R I G H T S R E S E R V E D .


Acknowledgments

ISACA wishes to recognize:

Board of DirectorsLynn Lawton, CISA, FBCS CITP, FCA, FIIA, PIIA, KPMG LLP, UK, International PresidentGeorges Ataya, CISA, CISM, CISSP, ICT Control sa-nv, Belgium, Vice PresidentTony Hayes, FCPA, Queensland Government, Australia, Vice PresidentAvinash Kadam, CISA, CISM, CBCP, CISSP, GCIH, GSEC, Miel e-Security Pvt. Ltd., India, Vice PresidentHoward Nicholson, CISA, City of Salisbury, Australia, Vice PresidentJose Angel Peña Ibarra, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice PresidentRobert E. Stroud, CA Inc., USA, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP, USA, Vice PresidentFrank Yam, CISA, FHKCS, FHKIoD, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group, Hong Kong, Vice PresidentMarios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International PresidentEverett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, DirectorGregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director

Security Management CommitteeEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, ChairJuan Manuel Aceves Mercenario, CISM, CISA, CISSP, Cerberian, MexicoKent E. Anderson, CISM, Network Risk Management LLC, USAYonosuke Harada, CISA, CISM, CAIS, InfoCom Research Inc. and Osaka University, JapanYves Le Roux, CISM, CA Inc., FranceMark Lobel, CISA, CISM, CISSP, PricewaterhouseCoopers LLP, USAVernon Richard Poole, CISM, CGEIT, Sapphire, UKJo Stewart-Rattray, CISA, CISM, Vectra Corporation, AustraliaRolf von Roessing, CISA, CISM, CISSP, FBCI, KPMG Germany, Germany

CISM Certification BoardEvelyn Susana Anton, CISA, CISM, UTE, Venezuela, ChairGarry James Barnes, CISA, CISM, CISA, Commonwealth Bank of Australia, Australia Allan Neville Boardman, CISA, CISM, CA, CISSP, JP Morgan Chase, UKJohn Randolph Caraway, CISM, CISSP, JP Morgan Chase, USA James A. Crawford, Jr., CISM, CISSP, MSIA, Marine Forces Reserve, USA Ramses Gallego, CISM, CISSP, SCPM, SurfControl, Spain Kyeong-Hee Oh, CISA, CISM, CISSP, Fullbitsoft, Korea Hitoshi Ota, CISA, CISM, CIA, Mizuho Corporate Bank Ltd., Japan Smita Dilip Totade, Ph.D., CISA, CISM, FEI, National Insurance Academy, India

3© 2 0 0 8 I S A C A . A L L R I G H T S R E S E R V E D .


Table of ContentsCISM Career Growth .....................................................................................................................................5

Education ..........................................................................................................................................................5Figure 1—Highest Level of Education Completed ...........................................................................5Figure 2—Importance of Education in Specific Categories .............................................................6

Certification .....................................................................................................................................................6Figure 3—Importance of Professional Certification in Specific Categories....................................7

Career Progression ..........................................................................................................................................7Figure 4—Reasons for Beginning a Career in Information Security................................................8Figure 5—Comparisons of Primary Position Roles at Current and Prior Jobs ................................8Figure 6—Ten Most Common Activities Performed by CISMs in Current and

Prior Positions .................................................................................................................10Figure 7—Next Career Step for CISMs...........................................................................................10

Conclusions.....................................................................................................................................................10

Other Publications.........................................................................................................................................11



CISM Career GrowthThe Certified Information Security Manager® (CISM®) designation, offered by ISACA®, is growingrapidly. Only five years old, it has already been earned by more than 9,000 professionals worldwide sinceits inception. Recognition and respect are also growing for this sought-after certification. In fact, whileother certifications seem to be decreasing in value, CISM is generating increased regard and professionalsholding the certification are able to command high salaries.

In Certification Magazine’s 2007 Salary Survey, CISM comes in as the second-highest paid ITcertification, at an average of US $115,072 annually. This is especially interesting when compared to thefact that in the same survey, security, which was the highest paid discipline in 2006, fell to fourth place in2007—from an average salary of US $93,500 to US $87,890. At US $115,072, CISM is clearly beingrecognized as an asset among business leaders.1

What makes CISM stand out? The CISM certification identifies a seasoned professional who hasexperience in areas such as information security governance, risk management, information securityprogram management, information security management and incident response.

This experience enables professionals to build and manage effective information security programs andalso to demonstrate the value of information security to executive management. CISMs are experiencingtremendous career growth while acquiring responsibility for issues that demonstrate value to the business.

In November 2007, ISACA conducted a survey of CISMs worldwide. In total, 1,426 CISMs from 83countries participated in the study. Survey respondents represented more than 20 different industries, withthe highest populations in: • Banking and financial services (26.6 percent)• Consulting (23.75 percent)• Technology (12.5 percent)• Government (12 percent)• Healthcare (4.2 percent)

The purpose of the survey was to examine how those in information security management positions havearrived at their current position, what types of activities CISMs are accountable for, and where they seethemselves in the future. Major areas of the study include education, certification and career progression.

EducationIn general, CISMs are a highly educated group, as shown in figure 1. At least a bachelor’s degree is held by86.9 percent of respondents, while 49.1 percent hold an advanced degree. While educational specializationvaries considerably, the top three educational areas of focus include computer science (24.6 percent),business/management (23.8 percent) and information security/information assurance (17.8 percent).


CISMs areexperiencing

tremendous careergrowth while

acquiringresponsibility for

issues thatdemonstrate value

to the business.

1 “CertMag’s 2007 Salary Survey,” Certification Magazine, volume 9, issue 12, December 2007, USA

45.4 %

3.7% 3.7 %9.5 %

37.8 %

High SchoolSome CollegeBachelor’s DegreeMaster’s DegreeDoctoral Degree

Figure 1—Highest Level of Education Completed



Education is highly valued: 78 percent of polled CISMs claimed that their education has been importantin their career.

Education factors into many aspects of a career, as shown in figure 2. When asked what importanceeducation has played in different situations, many respondents felt that education was important forobtaining a job in information security (72.1 percent) and also for promotability within a career (77.8 percent). The most important factor, however, seems to be related to performance within thespecialization of information security, as 84.1 percent of respondents stated that education was importantbecause it added value to their role in security.

The value of education, as seen by the CISMs who participated in this study, attests to the need for a strongalignment between business and security management. Almost 42 percent of CISMs have pursued a degreein business or within the specialized area of information security or assurance. An increase in bothundergraduate and graduate programs with a specialization in information security has demonstrated theimportance of information security as its own discipline. Information security requires a unique curriculumto prepare students to face core business requirements as well as issues such as technology and regulation.

CertificationIT certifications are proliferating. Professional and technical certification bodies address different levelswithin the information security profession.

With so many certification choices available to information security professionals, it is interesting toobserve which ones they value. The certification section of the ISACA questionnaire was separated intotwo sections: certifications were labeled as either a “professional certification” or a “technicalcertification.” Survey respondents reported differing opinions regarding certifications and their value.

For the most part, “professional” certifications are vendor-neutral, testing management and business skills.These certifications demand that candidates not only pass an exam, but also demonstrate substantialrelevant professional experience. A few examples of certifications considered “professional” for this studyincluded the CISM and: Certified Information Systems AuditorTM (CISA®) by ISACA, Certified InternalAuditor (CIA) by The Institute of Internal Auditors, Certified Information Systems Security Professional(CISSP) by (ISC)2 and Certified Protection Professional (CPP) by ASIS International.

Technical certifications are often vendor-specific, more technical in nature, and may offer multiplecertification levels demonstrating different degrees of experience. Examples of certifications considered“technical” for this study included: Cisco Certified Security Professional (CCSP), Microsoft CertifiedSystems Engineer (MCSE-Security), Security+ (CompTIA Security+) and Global Information AssuranceCertification (SANS/GIAC).

Promotabilityin Career

Obtain Job inInformation Security

Adds Valueto Role

65 70 75 80 85

84.1%

77.8%

72.1%

Figure 2—Importance of Education in Specific Categories



92.3 percent ofrespondents cited

that their professionalcertifications are

important todemonstrate

competency in their job.

A large number of information security managers reported holding professional certifications in addition to CISM. In fact, 45 percent have the CISSP certification and 43.1 percent have attained CISA certification.

In addition to professional certifications, 24.8 percent of survey respondents also hold technicalcertifications. Of those, 18.6 percent maintain a current TruSecure Internet Security Certified Associate(TISCA), 15.7 percent hold an MCSE-Security, and 12.2 percent have CERT’s Certified ComputerSecurity Incident Handler Certification (CSIH) designation.

When asked about the overall importance of a professional certification (see figure 3), 81.7 percent ofrespondents agreed that certification is important overall. Specifically, 92.3 percent indicated that theirprofessional certifications are important to demonstrate competency in their job, 88.7 percent felt they areimportant in gaining professional recognition, 82.9 percent pointed to their importance in gainingrecognition from peers and 77 percent felt they are important in qualifying for a new position. Also, 61.9percent of respondents indicated that they intend to pursue additional professional certifications.

These numbers changed significantly when respondents reported the importance of technical certifications.When holders of technical certifications were asked how they felt about the overall importance of theirtechnical certification, only 38 percent said that having the certification was important.

Among technical certification holders, only 47.9 percent felt that having the certification was important tohelp demonstrate professional competency, 42 percent felt that the certification had helped them toprepare for a career in information security, 39.3 percent felt that the certification had been important inhelping to gain professional recognition and 36.7 percent felt as though their technical certification wouldbe important in helping to qualify for a new position. Only 15.6 percent of technical certification holdersreported that they will pursue additional technical certifications.

Career ProgressionAs diverse as certification and educational circumstances are, so too have been the ways CISMs haveprogressed within their careers (see figure 4).

When asked how they became involved in information security, CISMs had a variety of answers. Thelargest number of respondents, 25.5 percent, said that they chose information security simply because itwas an interesting field; 14.3 percent cited that they became involved with information security becausetheir role in IT emerged as a distinct professional competency; 8.6 percent indicated that they entered thefield because of a job opportunity; 7.3 percent noted that they entered information security withoutpreplanning a specific career; and 7.1 percent stated that the market demand and business needs pushedthem into security.

100

80

60

40

20

0Overall New

Career

81.7

38.0

78.8

42.047.9

92.3

77.0

36.7

62.1

30.9

88.7

39.3

75.5

34.3

82.9

39.9

ProfessionalCompetency

New Job PromotionProfessionalRecognition

RecognitionFrom

Management

RecognitionFrom Peers

Professional Certification

Technical Certification

Figure 3—Importance of Professional Certification in Specific Categories



To see how CISM roles and responsibilities have evolved, it is necessary to compare positions andresponsibilities of CISMs in their current position and the one immediately prior. This provides a viewinto the evolving job responsibilities, titles and reporting structures that CISMs have experienced withintheir career progression (see figure 5).

Clear career growth is shown when position roles are considered. For example, when CISMs were askedabout their prior position, only 7 percent claimed a position in information security executivemanagement. This position description was not even one of the top five positions. When asked about theircurrent position description, information security executive management placed second, with 14.4 percentof respondents describing themselves as such. Information security provides career progression andCISMs are moving into top leadership positions.

In addition, 33.5 percent of CISMs described their current role as that of information securitymanagement, which is an increase of 10.9 percent from their previous role. Combining the two toppositions, the survey shows that 47.9 percent of respondents categorized their current role as eitherinformation security executive management or information security management. Only 29.6 percent ofrespondents categorized their previous role the same way. CISMs are experiencing significantopportunities for career advancement.

A decrease is seen in the number of CISMs who described their current role as an information securitytechnical position. At 6.5 percent, this description did not place in the top five descriptions for the currentposition, but was third—with 10.7 percent—in previous role descriptions. The role of information securitymanager is evolving to be one that focuses on the application of technology to solve business problemsrather than being a purely technical specialization.

2.6

25.5

14.3

8.6

7.3

7.1

6.1

5.6

4.82.8

Interesting Field

IT Emergence

Job Opportunity

Accident

Market Demand

Added Workload

Audit

Natural Progression

Military

Security Project Manager

Figure 4—Reasons for Beginning a Career in Information Security

40

35

30

25

20

15

10

0ConsultantInformation

SecurityManagement

ConsultingFirm Partner/

Director

InformationSecurity

ExecutiveManagement

ITManagement

InformationSecurityTechnicalPosition

Current Position

Prior Position

33.5

7.46.5

6.3 6.4

22.6

14.9

10.7 9.0

14.4

7.03.8

Figure 5—Comparisons of Primary Position Roles at Current and Prior Jobs



The informationsecurity management

role is becomingincreasingly focused

on businessenablement rather

than on technology.

In addition, 43.6 percent of respondents stated that in their prior position they reported to seniormanagement or to a director; 30.6 percent said that they reported directly to executive management and 18.7 percent reported that they answered to someone at a manager level. Reporting at higher levels in the organization, CISMs are expected to bring value and to participate in more strategicbusiness-related activities.

When the reporting lines of current roles are considered, growth is reflected once again: 40.6 percent ofCISMs polled stated that they now report directly to executive management and 41.4 percent report tosenior management or a director. Only 13 percent of respondents are currently reporting to someone at amanager level.

When these statistics are examined, it is clearly evident that CISMs are experiencing career growth.Whether it is moving up higher in management or into management for the first time, a consistent patternof advancement is demonstrated.

As can be imagined with such a shift in job roles, responsibilities have changed as well (see figure 6 forthe top 10 functions for which CISMs claimed responsibility in their current and prior roles).

The ISACA survey compared the activities for which CISMs are currently responsible with those theyperformed in their prior role. The responses revealed that CISMs are experiencing a significant wideningin the breadth of their responsibilities as well as a change in the type of responsibilities.

In prior positions, survey respondents reported that they had responsibility for technology-focusedfunctions such as data security, network security, disaster recovery, and system and application security.The majority of respondents did not report being accountable for functions that are traditionally business-focused.

However, the functions for which CISMs are responsible in their current role are quite different. CISMsreported that they are now responsible for more business-related functions such as risk management. Forexample, when polled on prior job responsibilities, only 54.8 percent of respondents answered that theyhad responsibility for the risk management function. In their current position, 76.6 percent do. Securityprogram management is also increasingly a responsibility of CISMs, from 49.0 percent in their previousrole to 74.0 percent in their current one.

Regulatory compliance, at 44.7 percent, failed to break into the 10 most frequently performed activities inprior positions. It was the fifth most frequently cited responsibility in current positions, with 63.4 percentof respondents claiming ownership of this function. This is an indication that protection functions such ascompliance and risk management have become increasingly important as business drivers and arereceiving more attention from the boardroom.

As noted previously, many of the information security managers who participated in this study hadresponsibility for technology-driven functions, such as network security, in their prior positions. Their currentpositions reflect little growth in functions that deal mainly with technology.

Network security was among the most frequently performed activities (third) in prior jobs, with 53.5 percent of respondents holding responsibility for the function. In current jobs, it increased to 57.3 percent. It dropped, however, to the eighth position among most-performed activities.Telecommunications security also increased, but only slightly, from 22.7 percent to 24.7 percent.

It appears that the role of the information security manager is evolving. When comparing responsibilitiesheld by CISMs in their current and prior positions, the functions that are gaining momentum are thosemore significantly aligned with business needs and priorities. The information security management roleis becoming increasingly focused on business enablement rather than on technology.

When asked whattheir next career stepwas, 27.1 percent of

respondentsanswered that theyintend to step into a

chief informationsecurity officer

(CISO) role.



The growth pattern among CISMs is very clear. CISMs have been able to move up into management ranksand have also acquired more responsibilities, particularly those with a business focus. Given that CISMsare experiencing significant career growth, it is not surprising that survey respondents still intend to strivefor further expansion in their career.

When asked about their next career step, 40.6 percent of respondents (27.1 + 13.5) answered that theyintend to step into an executive management role. Of those, 27.1 percent see themselves in a chiefinformation security officer (CISO) role (see figure 7).

ConclusionsInformation security is an evolving profession. In the past, technology dictated security; now business isthe main driver.

CISMs have grown in their careers and continue to acquire more responsibility for functions that areclosely aligned with business. Regulatory compliance, which did not make the 10 most frequent activitiesthat security managers were responsible for in their prior positions, registered as the fifth most frequent incurrent roles. In addition, CISMs are taking responsibility for functions such as risk management,governance and architecture. These are the areas that will help to demonstrate the value that informationsecurity provides to the enterprise.

Figure 6—Ten Most Common Activities Performed by CISMs in Current and Prior Positions

Rank Current Position Percent Prior Position Percent1 Risk Management 76.6 Data Security 56.6

2 Security Program Management 74.0 Risk Management 54.8

3 Data Security 70.7 Network Security 53.5

4 Policy Creation and Maintenance 65.3 Security Program Management 49.0

5 Regulatory Compliance 63.4 Policy Creation and Maintenance 48.8

6 Security Project Management 59.6 Business Continuity/Disaster Recovery 45.8

7 Incident Management 58.5 System and Application Security 45.2

8 Network Security 57.3 Security Architecture 45.1

9 Business Continuity/Disaster Recovery 56.1 Incident Management 44.8

10 Security Architecture 55.9 Security Project Management 44.8

Security Executive (CISO)

Senior or IT Executive

Security Manager

Security Director

Consultant

Other

Senior Management

Manager of Audit, Risk or IT

Other Director

Remain in Position

Don’t Know

Security Architect

20

8.3

0 25 305 10 15

2.1

3.9

8.7

1.4

5.2

9.5

6.5

4.5

9.4

27.1

13.5

Figure 7—Next Career Step for CISMs



Other PublicationsMany publications issued by ITGI and ISACA contain detailed assessment questionnaires and workprograms. For further information, visit www.isaca.org/bookstore or e-mail [email protected].

Security • Cybercrime: Incident Response and Digital Forensics, 2005• Information Security Governance: Guidance for Boards of Directors and Executive Management,

2nd Edition, 2006• Information Security Governance: Guidance for Information Security Managers, 2008• Information Security Harmonisation—Classification of Global Guidance, 2005• Managing Enterprise Information Integrity: Security, Control and Audit Issues, 2004 • Security Awareness: Best Practices to Serve Your Enterprise, 2005• Stepping Through the InfoSec Program, 2007

Assurance • Stepping Through the IS Audit, 2nd Edition, 2004

Specific Environments:• Electronic and Digital Signatures: A Global Status Report, 2002• Enterprise Identity Management: Managing Secure and Controllable Access in the Extended Enterprise

Environment, 2004• ITAFTM: A Professional Practices Framework for IT Assurance, 2008• Linux: Security, Audit and Control Features, 2005• Managing Risk in the Wireless LAN Environment: Security, Audit and Control Issues, 2005• Oracle® Database Security, Audit and Control Features, 2004• OS/390—z/OS: Security, Control and Audit Features, 2003• Risks of Customer Relationship Management: A Security, Control and Audit Approach, 2003• Security Provisioning: Managing Access in Extended Enterprises, 2002 • Virtual Private Network—New Issues for Network Security, 2001

ERP Series

IT Governance • Board Briefing on IT Governance, 2nd Edition, 2003• IT Governance Global Status Report—2008

COBIT and Related Publications:• COBIT® 4.1, 2007• COBIT® Control Practices, Guidance to Achieve Control Objectives for Successful IT Governance,

2nd Edition, 2007• COBIT® Security BaselineTM, 2nd Edition, 2007• COBIT® QuickstartTM, 2nd Edition, 2007• IT Assurance Guide: Using COBIT®, 2007• IT Control Objectives for Basel II: The Importance of Governance and Risk Management for

Compliance, 2007• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal

Control Over Financial Reporting, 2nd Edition, 2006• IT Governance Implementation Guide: Using COBIT® and Val IT, 2nd Edition, 2007

COBIT Mapping Series

IT Governance Domain Practices and Competencies

Val IT

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

E-mail: [email protected]

Web site: www.isaca.org

information security career progression survey results

Documents