Asia IT falls short of experience

US professionals have more years in the industry and are better paid A NEW STUDY reveals that IT professionals working in the area of security in Asia have less experience than their counterparts in the United States. The 2005 global information security workforce study conducted by technology research firm International Data Corporation (IDC) indicated 46.6 per cent of the respondents in the US had 10 years or more experience in the industry, compared with only 17.4 per cent in the Asia-Pacific. The survey received 4,305 responses from full-time information security professionals in 80 countries and was conducted on behalf of the International Information Systems Security Certification Consortium, known as the (ISC)2, an international organisation that offers education and certification for information security professionals. Chester Soong, a Hong Kong-based (ISC)2 Asian advisory board member, said an obvious reason for the discrepancy in experience was the Asia-Pacific region's less mature IT market. He said a small and fragmented security market in Asia had resulted in fewer large-scale projects available for professionals to work on. Also, technicians in the US tended to have more opportunities to try to test new security techniques, compared with those in Asia. With less experience in Asia, the average earnings power among security professionals in the region was also significantly lower than those in the US. IDC noted that the average annual salary of security professionals in America was about US$96,000, more than double that of professionals in Asia, where the average income was about US$46,000. IDC said a higher percentage of professionals in the Asia-Pacific region were in the salary range of US$30,000 or below, suggesting that the number of young information security professionals accepting entry-level positions in the region was on the rise. About 40 per cent of the respondents in the Asia-Pacific anticipated an increasing level of education and training, much higher than the global average, which was only 22 per cent. Mr Soong said the difference was probably caused by cultural and certification factors. 'People in Asia tend to acquire skills and knowledge through classes and examinations rather than through self-study and reading books,' he said. 'Besides, certification is relatively important for employers in the region, as well as among the RFP [requests for proposal] of information security projects.' The importance of training and certification was also indicated among employers. The survey showed 33 per cent of the total respondents were in a position to make hiring decisions and 90 per cent of them considered certification somewhat important or very important when making hiring decisions. 'By requiring certifications, organisations eliminate much of the unknown factor from the hiring equation and achieve some degree of comfort or a guarantee as to an individual's competency [and] knowledge level,' IDC said. 'Certification can be critical in terms of mitigating any associated risk or legal liability that may arise from an employee's actions.' The survey also found organisations, on average, were planning to spend 43 per cent of their IT security budgets on personnel, education and training. IDC indicated the figures reflected that more enterprises no longer considered information security as 'an administrative detail on the overhead budget or a technical issue easily addressed with the latest off-the-shelf technology product'. More had come to realise security was part of the corporate agenda and strategic business process. 'Security teams must now perform an ever-growing list of activities such as threat mitigation, compliance auditing and proactive security management and monitoring,' IDC said. Mr Soong agreed that certification in the information security industry was particularly important because it was the most rapidly changing among all the IT areas. But whether a certification could reflect the individual's competency depended very much on their requirements. 'Most certifications with higher creditability do not only assess the person's knowledge but provide continuous monitoring of the individual's involvement within the industry,' he said. 'This is particularly important in this rapidly changing industry.'