The survey received 82 valid answers until 27 August 2006. The survey in Spanish received 8 valid answers and the survey in English 74 valid answers. Out of the 82 valid respondents, 60 (73% respondents) provided a an email address to receive the results of the study.
Question 1: Position title
Over 63% of respondents work in the information security or IS security field. Almost 21% of respondents occupy ‘other’ positions in the organisation (see figure 19); this provides a general organisation-wide perspective to answers given to the survey and possibly contributes to the variability of some answers. Overall, there is a balanced variety of positions represented in the answers.
Question 2: Seniority in current position
Close to 60% of survey participants have more than 3 year experience in their position. As a minimum, survey answers represent more than 220 years of experience.
Question 3: Field of expertise of previous position
68% of respondents come from the information technology field. Answers given show how currently information security positions are mainly filled by IT professionals and, at a lesser extent, by auditors. In addition, this percentage shows the recent creation of information security positions in organisations: only around 12% of respondents occupied an information security or risk management position before their current position.
Only above 3% of respondents come from a financial position. This indicates the current difficulty information security professionals have to use concepts like return on security investment (ROSI) and quantitative risk measurement.
Question 4: Position respondents report to
Information security is not only an information systems agenda topic. Although more than 30% respondents still report to the CISO, almost 20% of respondents report to the organisation’s CEO or Board.
In addition, almost 9% of participants report to a security officer and 13% to the chief auditor. This may show a trend to link information security either with corporate security (responsible for IT, physical security and, sometimes, business continuity) or audit.
These answers show that risk management integration has not brought a common reporting line yet: only 3% report to a chief RM officer and only 2% to a financial officer.
Question 5: Scope of influence (number of employees influenced by their work)
About 40% of respondents influence between 100 to 1000 employees. The number of influenced staff is rather balanced in the survey answers.
It is remarkable that 13% respondents influence less than 100 employees. This is a new phenomenon: Information security positions are starting to appear in small companies.
Question 6: Sector of the organisation
More than half of the respondents work in the financial sector. This is a key element to consider when discussing results. Almost a quarter of the surveyed professionals work in ICT-related industries. Utilities and government are represented only with 3% and 2% of respondents and the rest of sectors represent close to 20% of answers.