By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²
The first annual ASIS and (ISC)² Security Congress event was held in Orlando in September, and for those who attended, it was a major success. Our members made the most of the time with their traditional security counterparts at ASIS, and formally recognized that the physical and logical sides of the enterprise have much in common.
In practice, however, the integration of physical and logical security still has a long way to go. That’s one of the things you told us in a survey conducted before the Congress: “Perceptions of the Intersection of Traditional and Information Security.” As you recall, this survey focused on assessing where traditional and information security intersect, the issues our global members are facing in this context, which skills are in demand as a result and where you see the future of the security industry headed.
More than 1,000 professionals answered the survey, and your participation is greatly appreciated. We thought you might be interested to see the results, as well as some of the conclusions we drew from the data as we look ahead to next year’s Congress – and beyond.
- Integration of physical and logical security is still a work in progress. In most cases, only about a third of you said that traditional security and IT security organizations are sharing responsibility for protecting key elements of the enterprise such as property (31.9%), supply chains (34.5%), executives (32.2%), or brands (36.0%). But there is some progress being made: the majority of you said that the protection of people (52.4%) and information (55.9%) is shared between the two organizations. A majority (51.2%) said that physical and logical organizations work together to some degree, and nearly a third (31.6%) report that the two groups are working together to a great degree.
- Risk management efforts are still highly fragmented. While members listed data breaches (83.9%) and compliance (60.1%) as their most critical security-related concerns, only about half of respondents (51.1%) said that their organizations have an enterprise-wide view of risk that addresses these concerns. Almost half (47.5%) said risks are identified, assessed, and addressed independently within individual reporting structures, while only 42.5% said they have cross-functional teams that work to address critical risks. In most cases, however, the IT organization is the key driver behind the risk management function: 91.1% of respondents said the IT department plays a key role in assessing and mitigating risk, and nearly 87% said their enterprise-wide assessments of risk are led by the CISO or CSO.
- The CISSP is one of the top three credentials employers seek for traditional and logical security practitioners. 55.9% of you said that the credential most recommended for those working at the intersection of these fields was the CSC, followed by the Certified Facility Manager (CFM) – 55.8%, with 54.6 of you suggesting the CISSP.
In all three cases, the message is clear: security organizations, practices and people are all under construction. While great progress has been made in integrating traditional and logical security functions, building an enterprise-wide risk management process, and broadening the skills of the security professional, there remains much work to be done.
At (ISC)2, we look forward to the opportunity to help our members in all three of these endeavors, and will always consider your feedback on how we can improve our efforts. As we begin our planning for the coming year and for the 2012 Security Congress, we look forward to your continued input, community, and participation in all of our endeavors. Thanks for making (ISC)2 the best it can be!
To see the full (ISC)² results of the study, please visit the (ISC)2 member home page.
Mr. Tipton is the Executive Director for (ISC)², the largest not-for-profit membership body of certified information security professionals worldwide, with over 80,000 members in more than 135 countries. In his current role, he is responsible for overseeing the management team and guiding the organization’s strategic direction in accordance with the (ISC)2 Board of Directors. Before joining (ISC)², he served for five years as the Chief Information Officer (CIO) for the U.S. Department of the Interior, and received the Distinguished Rank Award from the President of the United States, the highest lifetime award attainable by a federal civil servant.