A worldwide survey reveals three quarters of security professionals view reputation damage as a top priority

Avoiding reputation damage to the organization was viewed as a top priority for security programs by nearly three quarters of information security professionals surveyed in a worldwide study.

The survey was conducted on behalf of (ISC)2,. It surveyed 7,548 information security professionals, including over 1,500 chief level executives and security managers, from private and public sector organizations in more than 100 countries.

Respondents came from the three major regions of the world: Asia-Pacific (34 %), Americas (41 %), and Europe, Middle East and Africa (EMEA) (25 %).

‘This fourth edition of the study demonstrates more than ever before that information security has become a business imperative for organizations of all sizes, with far-reaching concerns such as corporate reputation, the privacy of customer data, identity theft, and breach of laws and regulations driving information security governance,’ said Rob Ayoub, of Frost & Sullivan who conducted the research.

Pressure over data loss and compliance has driven accountability for information security to the executive level, with 49 % of information security professionals reporting to executive management or boards of directors.

Other study highlights include:

Smaller organizations (up to 500 employees) accounted for nearly 60 % of respondents, signifying a move from security as a priority for mostly larger organizations to organizations of all sizes due to business requirements and compliance, including the impact of the payment card industry's PCI-DSS.

A third of respondents said their primary functional responsibilities are mostly managerial. An additional 48 % also reported that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus in their roles.

Approximately 20 % of respondents were at the executive (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer) or manager level.

Communications skills were seen as ‘very important’ or ‘important’ by 81 % of respondents to be a successful professional. Business skills were also seen as very important or important by 69 % of respondents.

Information security is moving beyond the perimeter and becoming more data-focused, protecting data both at rest and in transit, with wireless security solutions, cryptography, storage security and biometrics featured in the top five technologies being deployed in most regions.

Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified globally as the most important factor in a security professional's ability to protect the organization. In addition, 51 % of respondents identified internal employees as the biggest threat to their organizations.

Seventy-eight percent of hiring managers cited certifications as either ‘very important’ or ‘somewhat important.’ While ‘quality of work’ and ‘company policy’ were the top reasons given for certification's importance, a new reason, ‘customer requirement,’ was identified by 33 % of respondents requiring certifications.