Firms fail to hire security staff with formal qualifications:
by Bill Goodwin
Businesses are failing to hire IT professionals with formal security qualifications, despite an escalation in the number and cost of security incidents over the past two years.
Only 10% of UK businesses and 25% of large companies have staff with formal security qualifications, such as CISSP or CISM, on their security teams, the Department of Trade & Industry's latest Information Breaches Survey has revealed.
And only 42% of businesses have staff with formal IT qualifications of any kind on their security teams, the survey of 1,000 UK businesses showed.
The findings suggest that businesses are finding it difficult to recruit skilled security staff, potentially making it more difficult to keep their teams up to speed with rapid changes in threats and technology.
Over the past four years the proportion of businesses experiencing security incidents has risen from 24% to 68%, with the average cost of the worst breaches ranging from 50,000 to 150,000.
'I think there is a discontinuity between board level, the policy level and people doing security. There is a need for greater education and formal security qualifications,' said Andrew Beard, security advisory director at professional services firm PricewaterhouseCoopers. 'Although this will not solve the problems by itself, it will help in setting the benchmarks.'
Lack of formal education may account for an alarming level of ignorance among companies about corporate security standard BS7799. Only 12% of all businesses surveyed by the DTI, and 39% of large businesses, said they had heard of it.
Awareness of the standard was greatest among telecoms companies and government suppliers and lowest among property and construction companies, the survey revealed.
The low take up of BS7799 in the UK is disappointing, said Beard, given that it is proving increasingly popular overseas. However, it may reflect difficult business conditions over the past two years in the UK, because of the costs to companies in getting security systems and procedures up to the BS7999 standard, he added.
Among those businesses that were aware of BS7799, about 50% were partially or fully compliant, up from 40% two years ago.
Nearly 90% of those companies that had adopted BS7999 said that formal certification had improved their business continuity; 85% said it had minimised damage from security incidents; and 53% said it had led to higher return on investment."
BS7799-2: 2002 Information Security Management System
The organization shall develop, implement, maintain and continually improve a documented risk management system. Identify a method of risk assessment that is suited for the organizations business information to be protected, regulatory requirements and corporate goverance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.