"There may be a training program being rolled out," Adams said, "but it's clearly ineffective for the folks that are getting trained.
"Given the changing pace of technology, it's imperative that you keep your teams up to speed with respect to security issues," he continued. "The technical teams clearly feel like they're getting left behind and not trained, whereas executives and directors think everything is fine in that respect."
In their study, the researchers identified five stages in the development of application securityin a typical organization. It starts with "no focus on security," moves to reacting to security problems as they rise and ends up at standardized and defined policies, threat modeling and continuous process improvement based on risk metrics and analysis of discovered vulnerabilities.
"Companies that invest in people and process mature through those five levels faster and with fewer computer incidents than organizations that first invest in technology and tools," Adams said. "That's a data point that I'd like to shout off every roof top and get in front of every CEO and CFO, because they're the ones making those budget decisions."
Sign up for Computerworld eNewsletters.