IT security training and certification paying off for organizations

Organizations with at least one-quarter of their IT staff trained in security reported fewer security breaches (46.3 percent) than organizations with less than one-quarter of IT staff trained in security (66.0 percent). Among those who have invested in IT security training, 80 percent feel that their security has improved; 70 percent of those who have invested in certification feel the same way. Nearly 900 organizations across a range of industries, including education, financial services, government, health care, IT, and manufacturing, participated in the second annual CompTIA study.

"There is growing recognition that training and certification are key elements in improving IT security," said John Venator, president and chief executive officer, CompTIA. "Now more than ever, organizations realize that information and intellectual property are their lifeblood. They also realize that it's easier than ever for people to access, lose or steal this information. Anyone with a PC, a laptop, a mobile phone, or a PDA is a potential threat to security."

In remarks delivered today in Hong Kong at Business Week's 13th Annual Asia Leadership Forum, Venator said the real and perceived improvements in security are accompanied by hard numbers when the return on investment (ROI) from training and certification are discussed. The CompTIA study found that the median value of estimated ROI for training is $20,000 per trained employee per year; while the median value for ROI for certification is $25,000 per certified employee per year.

More organizations are requiring security training (30.2 percent, up from 23.2 percent a year ago) and security experience (28 percent, up from 18.8 percent) for their new IT staff hires. In fact, past experience in IT security has surpassed self-study as the second-most effective training tool, behind only "hands-on" training.

"Anyone can claim to be astute in the area of IT security," Venator said. "But organizations today are looking for individuals with proven security experience. Obtaining industry-recognized certification, such as CompTIA Security +, is one way in which IT professionals can demonstrate their expertise."

More than two-thirds of organizations (68 percent) believe that vendor-neutral IT security training and certification is better than that offered by a particular vendor because vendor-neutral training lays the necessary foundation for maximum return from vendor-specific training. Even respondents who show a preference for vendor-specific certification indicate that vendor neutral certification plays a key role in ensuring an appropriate depth of knowledge in their staff - knowledge that is not limited to a particular brand or platform.

Security training and certification are extending deeper into IT departments, the CompTIA survey found. Fifteen percent of organizations require all IT staff to have such training; and 31 percent of organizations require at least half their IT staff to be trained in security matters. The comparable figures for last year were 11 percent and 22 percent.

Among specific job positions, increases in security training were reported for director level (up 6 percent), engineering level (up 14 percent), project manager level (up 14 percent), and product developer level (up 10 percent).

The study also found that that increasing percentages of IT budgets are being spent on security. Nearly one in four respondents (22 percent) said they will spend 20 percent or more of their total IT budget on computer security. That's up from 15 percent last year.

The study was conducted for CompTIA by TNS Prognostics of Palo Alto, Calif., a leader in customer research based consulting for the IT industry.