Complying with regulatory requirements is now the key driver for firms implementing information security rather than tackling traditional security threats such as worms and viruses.
That is the conclusion of the eighth annual Ernst & Young information security survey of 1,300 public and private sector organisations in 55 countries.
The survey found that over the last 12 months, 61% of firms regarded compliance as the main driving force for information security, as opposed to worms and viruses (53%). Meeting business objectives was the main driver at 49% of firms.
For the next 12 months, 60% of firms see compliance as the main issue, with worms and viruses being the prime concern of just 31%.
Meeting business objectives has closed the gap with compliance issues, with 55% of firms saying it was the main issue for information security to address over the next 12 months.
Ernst & Young said the sheer number of regulations and the consequences of not complying with them had escalated information security onto the boardroom agenda.
Jan Babiak, Ernst & Young head of information security advisory services, said, “This year’s research shows that not only is regulation the new primary driver for information security investment, but the pressure to comply with the huge burden created by industry regulation such as Sarbanes-Oxley has placed information security firmly in the boardroom.”
However, Babiak added that many senior executives are missing the opportunity to use compliance as a catalyst to leverage their investment and embed information security as an integral part of their strategic initiatives.
He said that although a large proportion of the organisations surveyed recognised the security risks presented by new technologies, such as mobile wireless, there were a “worryingly high number of respondents who had no plans to actually address the security issues that these technologies will open”.
The survey also found that despite organisations assigning responsibility to individuals for the security of information assets and intellectual property, the level of training and awareness remained “startlingly low”.
“Less than half of organisations make provision for general users to be trained or made aware about the impact of information security issues with these technologies, and fewer still receive training on responding to security incidents,” Babiak said.
This should be of particular concern for senior executives, whose incomplete understanding or awareness might affect their ability to make and prioritise investment decisions, said Babiak.
The survey also found that 41% of respondents, mainly CIOs and chief information security officers, reported meeting with their board of directors and audit committees less than once a year or not at all.
Ernst & Young said this posed a significant gap in communication between security and the business.
Outsourcing was another potential security problem for the business, with just 17% of respondents requesting independent third-party reviews of their supplier’s security arrangements, which could impact on their own IT systems and overall business.