Businesses are failing to hire IT professionals with formal
security qualifications, despite an escalation in the number and
cost of security incidents over the past two
years.
Only 10% of UK businesses and 25% of large companies have staff
with formal security qualifications, such as CISSP or CISM, on
their security teams, the Department of Trade & Industry's
latest Information Breaches Survey has revealed.
And only 42% of businesses have staff with formal IT qualifications
of any kind on their security teams, the survey of 1,000 UK
businesses showed.
The findings suggest that businesses are finding it difficult to
recruit skilled security staff, potentially making it more
difficult to keep their teams up to speed with rapid changes in
threats and technology.
Over the past four years the proportion of businesses experiencing
security incidents has risen from 24% to 68%, with the average cost
of the worst breaches ranging from £50,000 to £150,000.
"I think there is a discontinuity between board level, the policy
level and people doing security. There is a need for greater
education and formal security qualifications," said Andrew Beard,
security advisory director at professional services firm
PricewaterhouseCoopers. "Although this will not solve the problems
by itself, it will help in setting the benchmarks."
Lack of formal education may account for an alarming level of
ignorance among companies about corporate security standard BS7799.
Only 12% of all businesses surveyed by the DTI, and 39% of large
businesses, said they had heard of it.
Awareness of the standard was greatest among telecoms companies and
government suppliers and lowest among property and construction
companies, the survey revealed.
The low take up of BS7799 in the UK is disappointing, said Beard,
given that it is proving increasingly popular overseas. However, it
may reflect difficult business conditions over the past two years
in the UK, because of the costs to companies in getting security
systems and procedures up to the BS7999 standard, he added.
Among those businesses that were aware of BS7799, about 50% were
partially or fully compliant, up from 40% two years ago.
Nearly 90% of those companies that had adopted BS7999 said that
formal certification had improved their business continuity; 85%
said it had minimised damage from security incidents; and 53% said
it had led to higher return on investment.