Managing IT Security Risks Through Training & Certification

Regardless of how the information security landscape changes, one constant always remains – the human factor. Organizations cite poor decisions by staff as a contributing factor in many security incidents. Some of these poor decisions stem from the failure to follow company security policies, but others are a direct result of insufficient training.

According to our data, 41 percent of U.S. organizations report moderate or significant deficiencies in security expertise among their IT staff. Companies in Brazil, India, Japan, South Africa and the U.K. also report similar levels of deficiencies in staff skill levels. Concern is especially high with insufficient security expertise as it relates to safeguarding websites, applications and networks, as well as staying ahead of risks in emerging areas such as social, mobile and the cloud.

The debate between the role of experience and the role of education in short- and long-term performance is probably as old as the workplace and schools themselves. Clearly, both “learning by doing” and formal training/education contribute to success, and yet, their weightings can vary significantly.

Some occupations have high educational barriers to entry (think the legal or medical profession). Technology, on the other hand, is a notable example of where different combinations of on-the-job training, formal education and IT-specific credentials can be leveraged for career success. In the case of security, the research indicates about 40 percent of U.S. professionals developed their skills primarily through experience, while 23 percent relied heavily on formal training/education. The middle 36 percent cited both equally. Experience plays more of a role in Brazil (84%), India (55%), South Africa (52%), and UK (57%) in acquiring expertise.

More than 8 in 10 U.S. organizations formally or informally use security certifications as a means to validate expertise. A prior CompTIA study, Employer Perceptions of IT Training and Certifications, confirms that both hiring managers and HR personnel factor certifications into the assessment process of job candidates.

Across countries surveyed in our new 9^th Annual Information Security Trends study, organizations view certified staff as an integral part of their security apparatus. The validation provided by certification is evident by the high level of agreement to certified staff being more valuable to the organization, having proven expertise and the belief that the organization is more secure because of the presence of certified staff. As expected, there is a correlation between organizations that have a formal policy toward the use of certification and the value assigned to certifications. Also, those who have been the target of a greater number of security breaches find greater value in having certified employees.

On average, U.S. organizations report being about 30 percent short of headcount devoted to security. Among the countries surveyed in our study, the gap between ideal number of staff and current levels is most pronounced in Brazil. Unfortunately, in the real world of “do more with less,” most companies are forced to operate at less than optimal staffing levels. Nonetheless, hiring intent for security professionals is on the rise, as 46 percent of U.S. organizations signal their intent to hire security specialists over the next two years. The intent to hire is comparable across countries in our survey, with the exception of Japan where the number is lower.

This could be challenging though given the experience of those that have already attempted to hire security specialists. Across the countries surveyed, firms in this situation reported difficulty in finding security specialists with the right mix of expertise and experience, not surprising given the many hats security professionals must wear.

For more on the state of the security landscape, emerging trends and the response to security threats, check out CompTIA’s 9^th Annual Information Security Trends study.