Complying with regulatory requirements is now the key
driver for firms implementing information security rather than
tackling traditional security threats such as worms and
viruses.
That is the conclusion of the eighth annual Ernst & Young
information security survey of 1,300 public and private sector
organisations in 55 countries.
The survey found that over the last 12 months, 61% of firms
regarded compliance as the main driving force for information
security, as opposed to worms and viruses (53%). Meeting business
objectives was the main driver at 49% of firms.
For the next 12 months, 60% of firms see compliance as the main
issue, with worms and viruses being the prime concern of just
31%.
Meeting business objectives has closed the gap with compliance
issues, with 55% of firms saying it was the main issue for
information security to address over the next 12 months.
Ernst & Young said the sheer number of regulations and the
consequences of not complying with them had escalated information
security onto the boardroom agenda.
Jan Babiak, Ernst & Young head of information security
advisory services, said, “This year’s research shows that not only
is regulation the new primary driver for information security
investment, but the pressure to comply with the huge burden created
by industry regulation such as Sarbanes-Oxley has placed
information security firmly in the boardroom.”
However, Babiak added that many senior executives are missing
the opportunity to use compliance as a catalyst to leverage their
investment and embed information security as an integral part of
their strategic initiatives.
He said that although a large proportion of the organisations
surveyed recognised the security risks presented by new
technologies, such as mobile wireless, there were a “worryingly
high number of respondents who had no plans to actually address the
security issues that these technologies will open”.
The survey also found that despite organisations assigning
responsibility to individuals for the security of information
assets and intellectual property, the level of training and
awareness remained “startlingly low”.
“Less than half of organisations make provision for general
users to be trained or made aware about the impact of information
security issues with these technologies, and fewer still receive
training on responding to security incidents,” Babiak said.
This should be of particular concern for senior executives,
whose incomplete understanding or awareness might affect their
ability to make and prioritise investment decisions, said
Babiak.
The survey also found that 41% of respondents, mainly CIOs and
chief information security officers, reported meeting with their
board of directors and audit committees less than once a year or
not at all.
Ernst & Young said this posed a significant gap in
communication between security and the business.
Outsourcing was another potential security problem for the
business, with just 17% of respondents requesting independent
third-party reviews of their supplier’s security arrangements,
which could impact on their own IT systems and overall
business.