The scope of threats to information technology (IT) infrastructure continues to expand, ranging from external threats such as viruses, worms, hackers, and spyware; to internal threats from employees within the organization. Combined with key technology trends such as the increasing pervasiveness of remote access for mobile employees and the implementation of wireless networks, IT departments continue to struggle in the ongoing battle to secure communications, data and networks.

In increasing numbers, organizations are implementing a multi-layered approach to security that leverages new technologies. But an increased reliance on technology alone is not the cure-all to secure the perimeter of corporate networks. There is a strong need for specialized training and certification for IT and security personnel; as well as security awareness training for all corporate employees, from the clerk in the mail room to the CEO in the corner office.

For the past five years, the Computing Technology Industry Association (CompTIA) has commissioned a major research project on information security and the workforce. In this time, we’ve seen a definitive shift toward greater emphasis on making employees aware of the information security threats around them; and having IT personnel properly trained to both prevent IT security attacks and minimize the damage of attacks that do occur.

The 2007 study shows that this increased focus is paying dividends. The number of security breaches has declined, according to the survey of more than 1,000 organizations; and human errors are becoming less likely to be the cause of major security breaches.

But the study also indentifies new threats, making it imperative for organizations to maintain their vigilance.

One of the emerging trends is an increased focus on remote and mobile workers and the unique set of security challenges that these workers pose to organizations. Nearly 80 percent of the organizations allow data access by remote or mobile employees. But just 32 percent of organizations have implemented any security awareness training for these workers; and just 10 percent have plans to implement such training this year.

The increasing pervasiveness of remote access to confidential data and applications by mobile employees, and the implementation of wireless networks, are raising the stakes for corporate IT departments. As access extends beyond the four walls of the organizations to satellite offices, home-based workers and mobile employees, each remote connection or access point is another potential security vulnerability that must be secured.

Sixty percent of the organizations surveyed said security issues related to the use of handheld devices for data access and transfer have increased significantly or increased somewhat over the past 12 months. When it comes to wireless networks, 55 percent of organizations said security issues have increased significantly or somewhat over the past 12 months.

As a result, IT departments are faced with the challenge of deciding how to develop the right balance of security-related technology, training and processes to proactively prevent security threats across a wide range of areas.

Beyond the organizational shift associated with developing and enforcing robust security practices, organizations are dedicating a growing portion of the technology budget to security.
The overall percentage of organizations’ IT budget dedicated to information security in 2006 was 20 percent. That’s up from 2005, when 15 percent of IT budget was allocated for security; and 2004, when security accounted for 12 percent of IT budget.

Organizations also expect to increase spending across all areas related to security in the next 12 months. Nearly one-half of respondents to the CompTIA survey said they intend to increase spending on security-related technologies; and one-third of respondents expect to increase spending on security training. Among those expecting to increase spending, the average increase is in the range of 19-23 percent, regardless of area.

The CompTIA study also showed that for each dollar spent on security, about 42 cents is allocated for technology product purchases; 17 cents for security-related processes; 15 cents for training; 12 cents for assessments; 9 cents for certification; and the balance on other items.

As further evidence of the financial commitment being made to information security, the number of companies that dedicates at least some portion of their IT budget to security training or certification continues to rise. More than two-thirds (68 percent) allocate at least some portion of their IT budget to security training or certification, up significantly from last year (55 percent).

This increased investment appears to be working. Only one-third of all responding organizations reported experiencing a security breach in 2006. This is significantly lower than prior years (61.8 percent in 2005, 42 percent in 2004).

With fewer security attacks, this may be a strong indication that the volume of security attacks on enterprise organizations is beginning to stabilize. However, despite this positive trend, the risks of not being prepared for an attack are greater than ever.

Though the number of security breaches has declined, the severity level of those breaches is significantly higher compared to the two previous years. Respondents rated the severity level of their security breaches at 4.8 on a 0-10 scale, where 0 is not at all severe and 10 is very severe. The corresponding severity level rating for the past two years stood at 2.3 and 2.6.This suggests that each security breach has greater impact than ever on organizations. This trend is consistent across a variety of organizations, regardless of size.

The impact of a security breach on employee productivity is significantly higher compared to all other costs. Organizations broke down the costs of security breaches as follows:

• Employee productivity impacted – 35 percent
• Server or network downtime – 21 percent
• Revenue-generating activities impacted – 20 percent
• Physical assets impacted – 17 percent
• Legal fees and/or fines – 8 percent

Respondents estimated that the average cost of all security breaches in was $369,388 per organization. The study also revealed that 3 percent companies claimed that their single most severe security breach cost the organization more than $1 million for that incident alone.

With so much at stake, it is not surprising that more organizations are implementing comprehensive security training programs and making training a requirement. The benefits of such training are clear. Among organizations that have provided security training for their IT staff, an impressive 81 percent believe that security training for the IT staff has improved information security at their organizations. Nearly three-quarters of those firms said that increased awareness of security issues and the ability of the staff to proactively identify potential security risks are the key benefits of IT security training. More than half also indicated that training helps improve security because of the IT staff’s ability to respond quickly to security issues and to implement better security measures.

Yet specialized training for IT staff is still the exception rather than the rule at many organizations. Less than half of all companies require IT security training, while about one-third have made it a requirement for both new hires and existing IT employees. Overall, IT security training is mandatory to some degree for 47 percent of organizations today.

It appears that increased spending on security-related technology solutions and training is helping to lower the number of security breaches experienced by many companies. But it is alarming that the severity level of security breaches has increased. Clearly, tremendous risk still exists.

As the information security market evolves and the types of threats expand, organizations must seek out the correct balance of technology and training solutions. The benefits of security-related training for IT staff and education for all employees are real and compelling, and the cost savings are undeniable.

John Venator is the president and chief executive officer of the Computing Technology Industry Association (CompTIA), a leading trade association representing the business interests of the global information technology (IT) industry. He is responsible for leading strategy, development and growth efforts for the association and its 20,000-plus member organizations around the world. www.comptia.org