CompTIA’s “Eleventh Annual Information Security Trends” study found that companies are not fully addressing a critical component to IT security: IT security skill levels within IT departments and IT security education for the entire workforce.
Despite IT industry security threats that keep increasing in type, frequency and complexity, eight out of 10 companies in the CompTIA study reported viewing their current level of security as completely satisfactory or mostly satisfactory. However, this may be a false sense of confidence if they have not addressed their security situation recently.
Seth Robinson, CompTIA’s director of technology analysis, noted that companies need to widen their defenses to aggressively address new IT security threats, such as mobile malware, mobile phishing, advanced persistent threats and IPv6 attacks. For example, McAfee Labs reports that the number of mobile malware samples collected through the first half of 2013 matched the number of samples collected throughout all of 2012.
“The changes in technology require changes in security,” Robinson said. “Companies may feel good about their security based on what they’ve done before, but they’re often not aware of some of the new things they need to be doing. Companies are not refreshing their defenses, and there’s a skills gap both within IT departments and also within the companies’ larger workforce.”
Another troubling trend: This year, for the first time, the CompTIA security study found that respondents selected “human error among IT staff” and “human error among general staff” at the bottom of their list of security threats they consider “serious concerns” (after malware, hacking, phishing, data loss/leakage and other threats). Yet CompTIA found that more than half (55 percent) of the companies participating in the survey attribute the root cause of their security incidents to human error, with technology error cited by only 45 percent.
“That’s a major disconnect,” Robinson said. “End-users now have much more ability to create security incidents because of the new technologies they are using – mobile devices or cloud solutions, for example.”
“Companies need to address this, because human-error-caused security problems are happening more often,” Robinson said. “But they’re struggling, because it’s not really a technology issue. It’s an education issue.”
Companies need to include education and training, along with security policies geared to reduce human error in their investments in IT security, Robinson said. “This education needs to include the entire workforce, not just the professionals who are working on IT security.”
As far as IT professionals go, companies are finding that security skills are in high demand. According to labor insight firm Burning Glass, the number of information security job openings has remained high over the past three years, peaking at 52,793 in 2011 and hitting a cumulative 44,791 openings year-to-date as of September 2013. Security engineer, information security analyst, network security engineer, security analyst and information security engineer were among the top IT security job titles organizations sought to fill, Burning Glass found. In addition, more than half (56 percent) of the security professionals in (ISC)2’s 2013 “Global Information Security Workforce Study” believe there is a workforce shortage.
Part of the reason for this demand may be to fill skills gaps that organizations observe. About one in 10 companies feel that their security team, which could be internal or external, is significantly deficient in skill level, and another 21 percent feel that their security team is moderately deficient. Top areas where companies want to shore up their security skill deficiencies include cloud security (cited by 56 percent), mobile security (48 percent), data loss prevention (46 percent) and overall risk analysis (35 percent).
The CompTIA survey found that about nine out 10 companies have a high highly or moderately valued the return on investment of certified staff. In addition, four out of 10 companies changed their security approach over the past two years as a result of knowledge employees gained from training or certification. Other key drivers of companies’ new security approaches include a move to cloud solutions, a new mobility strategy, reports of breaches at other organizations and internal security breaches.
“The security landscape is always changing,” Robinson said. “One of the best ways for companies to understand what’s going on is to get people trained and certified and have that knowledge be brought back into the organization.”
