High Demand, Short Supply
Security technology skills ranked a top priority by IT managers
- By John Venator
- Jul 14, 2008
Information security is a top priority
for many organizations. Increasing
security concerns regarding the use
of hand-held devices, mobile and remote
workers, VoIP technology and a host of
other issues affect almost every organization.
Yet a recent study indicates that the
individuals responsible for maintaining
data and network security may not have
the skills to do so.
In a late 2007 phone and Web survey
of more than 3,500 IT managers around
the world, security was identified as the
technology skill most important to organizations
today. The importance of security
technology skills was identified as a
top priority across more than a dozen
industries surveyed, in organizations
ranging from small businesses to large
enterprises and throughout 13 of 14
countries surveyed.
However, the same managers also
said there is a significant gap in the security
skills available among today’s tech
work force.
By the Numbers
Among managers in nine countries with
established IT industries—Australia,
Canada, France, Germany, Italy, Japan,
the Netherlands, the United Kingdom and
the United States—73 percent identified
security, firewalls and data privacy as the
IT skills most important to their organization
today. But just 57 percent said their
IT employees are proficient in these security
skills, a gap of 16 percentage points.
The gap is even wider in five countries
where the emergence of a strong IT
industry is relatively recent (China, India,
Poland, Russia and South Africa). Among
respondents in these countries, 76 percent
identified security as the top skill their
organization needs; but just 57 percent
said their current tech staff is proficient
in security. That’s a difference of 19 percentage
points.
With so much attention focused on
security, and so many resources devoted to
it, why are security skills coming up short?
IT managers say it’s because the security
landscape changes so rapidly, with the
volume and virulence of security threats
growing almost daily, that it is difficult for
even the most seasoned security professionals
to stay ahead of hackers and cyber
criminals. Consider that in 2007 alone,
7,236 new security-related threats and
problems were identified by the CERT
coordination center, a major center for
tracking and responding to Internet security
problems. Since 1995, more than
38,000 security compromises, intruder
activities, product vulnerabilities and other
security problems have been identified.
The number of unique computer
viruses and other pieces of malicious
software that hackers tried to install on
computers and IT networks doubled to
500,000 from 2006 to 2007, according to
tech-security company Kaspersky Lab
Inc. Kaspersky expects that number to
double again in 2008.
According to Symantec’s biannual
Internet Security Threat Report, covering
July to December 2007, phishing hosts—
computers that host one or more phishing
sites—increased from 32,939 in the first
half of 2007 to 87,963 by the end of last
year, a 167 percent jump.
Is it any wonder that even the most
prepared IT department is challenged?
And the threats will not ease off.
A Worldwide Challenge
According to a 2008 CompTIA survey,
organizations in the United States identify
the most pervasive security threats
today as spyware, viruses, worms and the
lack of corporate user awareness. Similar
threats are faced by firms outside the
United States, though other challenges
such as data theft—identified as a significant
threat by companies in the United
Kingdom—and browser-based attacks—
a top threat for firms in China—attest to
the diversity of security issues organizations
must contend with.
As global trends of work force mobility
and decentralization put a greater
strain on IT security infrastructure, it is
becoming increasingly complex for corporate
IT departments to safeguard information.
Companies today are plagued by
an array of security issues as corporate
information is often the target of malicious
destruction or theft aimed at gathering
trade secrets, collecting competitive
intelligence, harvesting addresses or sabotaging
processes.
Growing Costs
The amount of IT budget that companies
dedicate to security continues to grow as
well. The CompTIA survey found that in
the United States, companies earmarked
12 percent of their IT budget in 2007 for
security purposes. That’s up from 7 percent
just two years ago.
On an annual basis, U.S. firms spend
about $600,000 on security-related technologies,
processes, training and professional
certifications. This is a significant
amount compared to what is spent
annually among firms in other countries
such as Canada, nearly $375,000; the
United Kingdom, $370,000; and China,
$175,000.
The bulk of these dollars is used to
procure security-related technologies.
Two of five surveyed expect technology
spending to increase about 20 percent
over the next year.
Security Tools, Procedures
There is a widespread reliance on security-
related technologies to enforce security
requirements, as indicated by the use
of firewalls, proxy servers and antivirus
software in more than 90 percent of the
firms that participated in the CompTIA
survey. These technologies, while providing
a degree of protection, fail to comprehensively
address all the risks associated
with the modern business environment.
As a result, a growing number of companies
are adding extra layers of securityrelated
technologies to mitigate potential
risks caused by greater worker mobility
and decentralization. In fact, the popularity
of intrusion detection systems in the
United States has grown in the past two
years and can now be found in 50 percent
of companies nationwide compared to 43
percent in 2005. Technologies associated with physical access control, multifactor
authentication and penetration testing also
are on the rise among U.S. organizations.
Yet, even as companies put more financial
resources toward information security
and continue to invest in security-related
technologies, human error still plays a significant
role in breaches. Approximately
30 percent of the most severe breaches are
caused by human error, while a similar
proportion is the result of a combination of
human error and technical malfunction.
Staff failure to follow security procedures
is often to blame. But increasingly,
the lack of IT security knowledge is a
contributing factor, representing 25 percent
of human error-related attacks in
2007—up from 17 percent in 2006. Such
a trend points to a growing need for
enhanced IT security training, which in
turn can increase awareness among staff
and bolster the ability to proactively identify
potential security risks and to quickly
respond to real issues.
To combat the shortcoming in IT
security skills, organizations are employing
several strategies. Among IT managers
surveyed, 59 percent said they
intend to have their tech workers seek
additional professional training; 43 percent
plan to have their workers obtain
professional industry certifications; 42
percent will implement career planning
or mentoring programs to enhance skills;
and 41 percent will provide employees
who boost their skills on their own with
incentives, rewards and recognition.
The Training Trend
Training IT staff in security protocol does
in fact make a difference. In fact, more
than 80 percent of organizations that provided
security training to staff claim it has
generally improved IT security. Among
U.S. companies providing training, most
say they benefit from greater user awareness
and enhanced ability of employees to
identify potential security risks (and presumably
put a stop to them). In addition, a
full 60 percent indicate that there have
been fewer incidents as a result.
Security training has saved U.S.
organizations as much as $2.2 million,
much of which is due to a reduction of
server/network downtime and fewer
impacts to employee productivity.
Likewise, the provision of IT security
certification has saved U.S. companies
more than $675,000 for similar reasons.
Companies ensure that certifying
employees continues to be in their interest
through a variety of tools and measures.
Most frequently, these companies
monitor the number of security incidents
that occur to determine if their investment
is paying off.
With so much at stake, it is not surprising
that more organizations are
implementing comprehensive security
training programs and making training a
requirement. The benefits of such training
are clear. Among organizations that
have provided security training for their
IT staff, an impressive 81 percent believe
it has improved information security at
their organizations. Nearly three-quarters
of those firms said increased awareness
of security issues and the ability of the
staff to proactively identify potential
security risks are the key benefits of IT
security training. More than half also
indicated that training helps improve
security because of the IT staff ’s ability
to respond quickly to security issues and
to implement better security measures.
With new challenges on the horizon,
organizations must continue to assess
risks and continually improve IT security
infrastructure and practices. This combination
of technology and training is
becoming increasingly important because
security breaches are growing ever more
severe. A breach today will have a more
powerful impact on a company than in the
past, and cautious managers should take
necessary steps to curb this threat.
One such step may involve convincing
top decision-makers that the benefits of
awareness training for remote and mobile
employees are worth the costs. Potential
security infractions can be much more
damaging than the investment required to
keep them at bay.
Unfortunately, some IT decision-makers
are not yet convinced of the return on
investment of improving the knowledge
levels of staff with training and industry
certifications. This is a challenge that
firms must overcome if they are to
empower employees to provide a more stable
environment for corporate information
going forward.