People, policy and processes are a far more effective barrier to security threats than technology, according to a global survey by the International Information Systems Security Certification Consortium (ISC2).
Companies are beginning to realise that technology is the enabler, not the solution, to a watertight security strategy, says the report. It adds that in recognising that security is wider than an IT problem, many firms are shifting responsibility for information security from the CIO’s shoulders and sharing the burden between a number of C-level executives, as well as legal and compliance experts.
“The message of people and processes being absolutely crucial to effective information security is finally starting to resonate with business leaders,” says Allan Carey, program manager at IDC, which conducted the study on behalf of ISC2 .
Reflecting this move away from technology, organisations are now spending an average 41% of their security budgets on personnel and training, an increase of around 5%.
Security professionals are also optimistic that they can become “change agents” in their companies and raise security awareness in their firms.