Information security is a top priority for many organizations. Yet a new study shows that the individuals tasked with securing data and networks may not have the requisite skills to do so.
More than 3,500 information technology (IT) managers around the world participated in the survey commissioned by the Computing Technology Industry Association (CompTIA). These managers identified security as the technology skill most important to their organizations today. But IT managers also said there is a significant gap in the security skills available among today's tech workforce when it comes to such critical areas as data privacy, firewalls and other security practices.
The importance of security technology skills was identified as a top priority across more than a dozen industries surveyed; across organizations ranging from small business to large enterprise; and across geographies.
Among IT managers in nine countries with established IT industries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, United Kingdom, and United States), 73 percent identified security, firewalls and data privacy as the IT skills most important to their organization today. But just 57 percent said their IT employees are proficient in these security skills, a gap of 16 percentage points.
The gap is even wider in five countries where the emergence of a strong IT industry is relatively recent (China, India, Poland, Russia, and South Africa). Among respondents in these countries, 76 percent identified security as the top skill their organization needs; but just 57 percent said their current tech staff is proficient in security. That's a difference of 19 percentage points.
Security skills showed the largest gap between importance and proficiency across all countries, with the exception of the Netherlands, where it was the second largest gap behind application-level IT skills.
CompTIA commissioned The Center for Strategy Research, Inc. (http://www.csr-bos.com/index.htm), a Boston-based market research firm, to conduct the survey among organizations worldwide to identify gaps in IT skills and possible solutions to close those gaps. The telephone and online survey was conducted during the fourth quarter of 2007.
With so much attention focused on security, and so many resources devoted to it, why are security skills coming up short? IT managers say it's because the security landscape changes so rapidly, with the volume and virulence of security threats growing almost daily, that it is difficult for even the most seasoned security professionals to stay ahead of hackers and cyber criminals.
In 2007 alone, 7,236 new security-related threats and problems were identified by the CERT Coordination Center (http://www.cert.org/certcc.html), a major center for tracking and responding to Internet security problems. Since 1995, more than 38,000 security compromises, intruder activities, product vulnerabilities, and other security problems have been identified.
To combat the shortcoming in IT security skills, organizations are employing several strategies.
Among the 3,500-plus IT managers surveyed for the CompTIA study, 59 percent said they intend to have their tech workers seek additional professional training; 43 percent plan to have their workers obtain professional industry certifications; 42 percent will implement career planning or mentoring programs to enhance skills; and 41 percent will provide employees who boost their skills on their own with incentives, rewards and recognition.
Organizations also plan to increase spending across all areas related to security to combat the seemingly endless waves of cyber-attacks. A 2007 survey of more than 1,000 organizations commissioned by CompTIA found that nearly one-half intended to increase spending on security-related technologies, and another one-third expected to increase spending on security training.
With so much at stake, it is not surprising that more organizations are implementing comprehensive security training programs and making training a requirement. The benefits of such training are clear. Among organizations that have provided security training for their IT staff, an impressive 81 percent believe that security training for the IT staff has improved information security at their organizations. Nearly three-quarters of those firms said that increased awareness of security issues and the ability of the staff to proactively identify potential security risks are the key benefits of IT security training. More than half also indicated that training helps improve security because of the IT staff's ability to respond quickly to security issues and to implement better security measures.
In increasing numbers, organizations are implementing a multi-layered approach to security that leverages new technologies. But an increased reliance on technology alone is not the cure-all to secure the perimeter of corporate networks. There is a strong need for specialized training and certification for IT and security personnel; as well as security awareness training for all corporate employees, from the clerk in the mail room to the CEO in the corner office.
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.