Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Nothing short of a fundamental change in thinking can effectively address the persistent issue of IT security, according to the chief operating officer of IT trade association CompTIA.

Decision-makers must approach the protection of their companies’ data and networks in strategic terms, which is not the case currently, COO Brian McCarthy told The Channel Insider during an interview on March 6.

While the number and effectiveness of security solutions have improved in recent years, the fundamental issue remains that close to 80 percent of security breaches result from human error, he said.

And that propensity for human error is from the lack of security training, McCarthy said.

Is it the end of the security world as we know it? Click here to read more.

Employers don’t invest enough on training, as fewer than 25 percent of IT professionals actually receive some kind of security training, according to a survey of 574 IT professionals conducted in December by CompTIA, Oakbrook Terrace, Ill.

“If less than 25 percent are receiving security training, what does the other 75 percent rely on? It’s dumb luck,” McCarthy said.

McCarthy blames complacency for the lack of attention to security. Because security solutions have become more effective, he said, companies conclude that deploying the technology is enough to protect them.

But since 79.5 percent of security breaches are attributable to human error, according to the survey results, companies are missing the point. They are putting too much faith on the technology itself without ensuring that people know how to use it properly, McCarthy said.

According to the survey, IT departments on average spend only 2 percent of their time on security. In addition, only 5 percent of IT budgets are allocated to security spending, the survey found.

“There’s a need to make a cultural shift,” McCarthy said.

Top-level management at companies must start thinking of IT security in a strategic way, he said. And it is up to their IT services and solution providers to drive the point home by making the case that security breaches ultimately cost more than deploying the technology and training people adequately, he said.

IBM predicts 2006 security threat trends. Click here to read more.

Breaches are costly not just because remediation is expensive but also because they can affect the bottom line if the breach causes network or application downtime.

According to the CompTIA survey, companies reported that their most recent security breach cost them a median of about $11,500 to fix. Yearly, it costs companies an average of about $35,000 to recover from security breaches.

Breaches that cause losses of business-critical data are fatal for some companies. According to research firm Gartner Group, about 50 percent of businesses that face data loss from an attack or system failure go out of business within three years if they fail to restore the lost data within 24 hours.

McCarthy said CompTIA has taken on the need to think of security strategically as one of its main themes. The association plans to work with its members to get the message out and hopefully effect the necessary change in thinking, he said.