Undereducated security workers are the leading cause of security breaches, according to two new studies. A lack of spending on security training is leaving security managers poorly equipped to handle increasing numbers of security breaches.
Take the Information Security Breaches Survey 2004, conducted biennially by PricewaterhouseCoopers (PwC) for the U.K. Department of Trade and Industry. Of the 1,001 companies interviewed -- from less than 10 to more than 10,000 employees -- the report's authors see "a shortage of staff with IT expertise." Only 25% of companies with more than 250 people "have staff with formal information security qualifications." That figure drops to 1 in 10 for smaller companies. Only 11% have someone with a specialized certification, such as CISSP or Security+.
Education spending hasn't kept pace with the increasing severity of security breaches. Comparing 2002 and 2004 surveys, the number of U.K. companies suffering at least one security breach per year jumped from half to two-thirds of all respondents. The average large company now has one security incident per week, costing $213,000.
Another survey, conducted by TNS Prognostics for Oakbrook Terrace, Ill.-based training group CompTIA, asked 638 security professionals about security breaches. Respondents cited human error as the leading cause of security breaches, with 80% principally blaming IT staff's lack of information security knowledge.
Based on those results, there's an economic payoff from arresting security breaches. Yet PwC noted those same findings two years ago and saw no change in training spending for 2004; companies aren't getting the message. Companies apparently are hemorrhaging money because of security breaches, but still refuse to outlay the necessary cash for training.
More proof: PwC said less than half of surveyed organizations -- the same number as in 2002 -- compute security ROI. Executives don't request it, and even when they do, security professionals say it's difficult to quantify.
Yet beyond preventing breaches, "increased productivity is always a value proposition," said Pete Lindstrom, research director of Spire Security in Malvern, Penn. Companies can also expect reduced turnover by training information security employees and keeping them happy, he said.
On the other hand, there's a limit to certifications' healing powers. "Scarcity brings value to this stuff, and unfortunately if everyone and their sister is certified, it highlights issues associated with any certification," said Lindstrom. Namely, certification doesn't guarantee performance.
Today more than 20,000 people are CISSP certified, up from 6,900 in 2001, though PwC said they're concentrated in larger companies, which are able to pay top dollar for talent.
Organizations have another, money-saving option: improve existing, companywide security training programs. Too often HR staff, without specialized security knowledge or IT assistance, handles security training, as a result focusing it on the wrong things, or just "what not to do," said Kris Lovejoy, vice president of technology and services for Netherlands-based security event management software vendor Consul.
"If we can enhance the foundational knowledge people have on security -- through training and certification -- we can be more efficient," said Brian McCarthy, CompTIA's chief operating officer.