Who else other than the CIO? So why aren't CIOs doing more about it?

Mark Twain is reported to have famously remarked: "Everybody talks about the weather. But nobody does anything about it."

I was reminded of that quip when I read a news story posted by my colleague K.C. Jones about the increased awareness of security problems related to mobile computing devices and wireless networks, and the lack of effort to do anything about it. The story was related to the release of a survey sponsored by an industry organization called the Computer Technology Industry Association (CompTIA). The organization claimed to have interviewed 1,070 organizations about their security concerns.

Sixty percent of organizations surveyed recently said that security issues related to handheld devices have increased over the last 12 months... Still, only 32% of organizations have implemented any security awareness training for mobile and remote workers, according to CompTIA. Only 10% plan to implement security training in the next 12 months...

How could this be? Is it a question of resources, funding, executive support? Or is it a game of pass the buck? "That's an HR issue, not mine," huffs the hand-wringing, head-in-sand CIO.

Yet, the proof is there that security training can be effective, according to CompTIA. “Nearly 90 percent of organizations that have implemented awareness training for remote and mobile workers believe that the number of security breaches they’ve encountered has been reduced.” said John Venator, president and CEO of CompTIA, in a statement. “Organizations that do not train their mobile workers in security fundamentals are doing themselves a great disservice,” he said.

Security training in general doesn't seem to be a particular priority among CIOs. In the most recent InformationWeek Information Security Survey 2007, only 19% of the 1,101 business technology executives contacted in U.S. cite "Educate business groups" as a key tactical security priority in the next 12 months. In answer to the question, "How often does your organization train employees on information security policies/procedures?" 47% of U.S. respondents answered "Ad hoc," and 5% said "Never." If my math is correct, that adds up to more than half of the U.S. survey respondents training their employees on computer security policies and procedures, uh, mostly when they feel like it.

What will it take to make computer security -- in particular, security related to mobile computing and wireless networks-- a priority? And for CIOs to take responsibility for it -- and do something about it?