The welter of
compliance regulations, such as Sarbanes-Oxley and the EU's 8th
Directive, have toppled worms and viruses as the prime driver for
information security, according to accounting firm Ernst &
Young's eighth annual security report.
Two-thirds of the 1,300 global companies interviewed put it top of
their list of information security concerns, despite it being a
bumper year for virus and worm activity.
But companies that view compliance as a distraction are missing an
opportunity to embed security into their business. "Compliance is
proving to be more of a distraction than a catalyst for information
security becoming strategically aligned within organisations," says
Edwin Bennett, global director of Ernst & Young's Technology
and Security Risk Services.
"One might assume that with the attention information security is
receiving due to regulatory compliance, organisations' information
security postures are improving and information security as a
function is becoming more integral to their strategic initiatives.
Unfortunately, this is not happening on a consistent basis."
The study reveals a mismatch between business objectives and
security. A commanding 81% of the respondents perceive compliance
with corporate policies and procedures as more important than
business objectives such as mergers and acquisitions, product
launches and delivery.
Only 41% of the companies say they are using compliance as an
opportunity to make changes to their security architecture.
Ernst & Young predicts that compliance will remain in its pole
position for the next 12 months.
