RealTime IT News

Study: Increase in Security Training Paying Off

Fewer than half of all organizations reported IT security breaches in the past six months -- provided at least one-quarter of their IT staff were trained and certified in security, a new survey says.

According to its second annual survey slated for release on Monday, the Computing Technology Industry Association (CompTIA) found that organizations reported 19.7 percent fewer security incidents when at least 25 percent of their staff had IT security training.

The survey on IT security and the workforce polled nearly 900 organizations for their perceptions and opinions. Not surprisingly, security training and certifications were seen as a high priority in IT infrastructure.

"The majority of the nearly 900 organizations that participated in the study believe that security training and security certification are key steps that help them improve their ability to identify potential security risks; increases awareness levels, and implement better security measure," CompTIA spokesperson Steven Ostrowski told internetnews.com.

Among the companies that invested in IT security certification, 70 percent said they got their money's worth: security improved. The survey also showed that 68 percent of respondents believed that vendor-neutral IT security training and certification is the best approach.

"The certifications mentioned most frequently by respondents as being the most important to have are Certified Information Systems Security Professional (CISSP) and CompTIA Security+," Ostrowski said. "Both are vendor-neutral certifications, in that they cover multiple products, platforms and technologies," he told internetnews.com.

When asked what IT security skills they believe are most effective for staff, hands-on training was ranked number one (78 percent, the same as last year). Past experience jumped to number two this year, named by 65 percent of respondents, up from 48 percent a year ago. Dropping to number three was self-study, which fell from 53 percent from 67 percent in the same study conducted last year.

The CompTIA survey also found that greater percentages of overall IT staff in IT departments are now receiving security training. Last year 11 percent of organizations required all of their IT staff to have security training. That number is up to 15 percent this year.

Even more dramatic though is that 31 percent of respondents now require at least half of their IT staff to have security training, which is up from 22 percent a year ago.

Increasing amounts of IT budgets are being spent on security. The survey reported that 22 percent of organizations will spend 20 percent or more of their total IT budget on security, which is up 6 percent over last year.

However survey respondents were not asked to break out what they spent on hardware and/or software training.

The CompTIA survey also contends that organizations believe there is a significant return on investment for IT security training and certification. The study reports that the median value of estimated ROI for training is $20,000 per trained employee per year; while the median value for ROI for certification is $25,000 per certified employee per year.

"One of the surprising findings of this years survey is that 49 percent of the organizations who responded said they do not have a written IT security in place," Ostrowski told internetnews.com. "That's lower than the previous year (54 percent)."

"Given the attention given in recent years to worms, viruses, DOS attacks, etc. - not to mention heightened security awareness in the post 9/11 world it is surprising that more organizations have not put formal IT security policies in place."