Study shows agencies, firms forego investment in security training

Companies and government agencies are increasingly aware of the importance of computer security and yet most spend less than 5 percent of their budget on security training for their information technology employees, according to a study released Tuesday.

Through the 638 members of the Computing Technology Industry Association who responded to the survey, CompTIA found that 75 percent of companies and agencies spent 10 percent or less of their IT budgets on computer security, and of that amount less than 5 percent is spent on training. Still, 96 percent of those surveyed said they would recommend security training for their staff, and they believe it could reduce their vulnerability to cyberattacks.

"We think the results are pretty staggering," said Brian McCarthy, CompTIA's chief operating officer at a news conference to release the survey. "Agencies and companies have looked primarily to technology for network safety...but 80 of the respondents say...that the lack of IT security knowledge ...resulted in human error and...were the root causes...of security breaches."

The survey also found that 31 percent of companies and agencies had experienced one to three "major security breaches" in the last six months. Andy Purdy, a cyberpolicy adviser at the White House who spoke at the press briefing, said the administration recognized the need for more training and made note of it in President Bush's national strategy to secure cyberspace. An updated version of the strategy was released last month.

Purdy also said he believed in an era of heightened focus on corporate accountability that companies will have to start doing more to demonstrate publicly that they are adhering to the best practices laid out in the cybersecurity strategy.

Purdy said it is likely the Homeland Security Department will oversee the implementation of the strategy, although White House officials are deciding whether senior members of the President's Critical Infrastructure Protection Board will move to the department or remain at the White House. Bush dissolved the board last month as Homeland Security absorbed 22 agencies but did not clarify who would lead cyberpolicy within the administration.

Purdy said the White House might issue a presidential directive or executive order clarifying the structure of cybersecurity within the administration.

Rep. Adam Putnam, R-Fla., the new chair of the House Government Reform Subcommittee on Technology and Information Policy, vowed to continue aggressive oversight of cybersecurity within the government. He said the first hearing on government's implementation of cybersecurity measures would be April 8, and he would continue the committee's tradition of issuing a report card on government agencies' progress in implementing computer security plans.