CompTIA Research


Summary of “Information Security: A CompTIA Analysis of IT Security and the Workforce ”

Survey Information

CompTIA commissioned TNS Prognostics to conduct an in-depth study on IT security. More than one-thousand IT professionals responsible for security at their organization responded to the most recent survey in February 2007.

Key Findings

IT security continues to be a top priority for management – more than 75 percent identify it as such and, in complementary fashion, the percentage of respondents budgets spent on IT security has risen from 15 percent in 2005 to 20 percent in 2006. Interestingly, the major types of security threats are changing. Thanks in large part to proper training, fewer breaches are caused by human error alone, and spyware, email attacks, and viruses account for over one-half of all security attacks. Viruses account for twice as many attacks compared to 2005, and viruses/worms and spyware/malware lead the list of concerns for the future.

Wireless technology is also a major concern. More than one-half of respondents claim that the use of handheld devices, spyware, voice over IP, and wireless networking have significantly increased as security threats over the past year. Antivirus software and firewalls/proxy servers continue to be the top two technologies for security enforcement and are utilized by nearly all organizations. More than three-quarters of respondents allow data access for remote/mobile, yet only 32 percent have implemented security awareness training for these workers and only 10 percent have plans to do so in 2007. However, 72 percent indicate that they have plans in place to protect against security threats resulting from removable media devices. Of those who have implemented training, a majority (88%) believe that the number of major security breaches have been reduced since implementing awareness training for remote/mobile workers.

While breaches caused by human error have gone down, a lack of training is increasingly cited as the cause of a security breach, significantly more compared to 2004 and 2005. More than half of breaches that were related to human error were caused by the failure of staff to follow security procedures. Those companies that properly trained their staff saved significant amounts of money. Savings are estimated to be more than 80 percent higher for organizations with certified employees compared to those with IT security training ($352K vs. $656K), with a median savings of $25K compared to $14K for IT security training.

More than two-thirds of respondents now allocate budget to security training or certification, up significantly from last year. Companies now spend 12 percent of their IT budget on such training and certification, compared to just 8 percent in 2005. Spending in all areas of security, including related technologies, is expected to increase as well for nearly one-half of respondents. A third of respondents also expect to increase their future spending on security training. The percentage of respondents who have a written IT security plan has also steadily increased since 2004 – 62 percent now indicate that they have such a policy, with larger companies being more likely than smaller companies.

Complete reports are available to CompTIA corporate members via logging into CompTIA’s Members Only Area at http://members.comptia.org. The information contained throughout these studies is proprietary to CompTIA. No portion of these studies may be reproduced in any form without the expressed written permission of CompTIA. However, small segments of no more than one paragraph in length may be quoted if proper citation is made. For more information or if you’re not a member and would like to purchase the report, please contact research@comptia.org.