Thursday, November 03, 2005

IT security takes back seat to compliance

Complying with regulatory requirements such as Sarbanes Oxley and the European 5th Directive is now the key driver for firms implementing IT security rather than tackling traditional security threats such as worms and viruses. That is the conclusion of the eighth annual Ernst & Young information security survey of 1,300 public and private sector organisations in 55 countries.

The survey found that over the last 12 months, 61% of firms regarded compliance as the main driving force for information security, as opposed to worms and viruses (53%). Meeting business objectives was the main driver at 49% of firms. For the next 12 months, 60% of firms see compliance as the main issue, with worms and viruses being the prime concern of just 31%. Meeting business objectives has closed the gap with compliance issues, with 55% of firms saying it was the main issue for information security to address over the next 12 months.

Jan Babiak, Ernst & Young head of information security advisory services, said, “This year’s research shows that not only is regulation the new primary driver for information security investment, but the pressure to comply with the huge burden created by industry regulation such as Sarbanes-Oxley has placed information security firmly in the boardroom.” However, Babiak added that many senior executives are missing the opportunity to use compliance as a catalyst to leverage their investment and embed information security as an integral part of their strategic initiatives. He said that although a large proportion of the organisations surveyed recognised the security risks presented by new technologies, such as mobile wireless, there were a “worryingly high number of respondents who had no plans to actually address the security issues that these technologies will open”.

The survey also found that despite organisations assigning responsibility to individuals for the security of information assets and intellectual property, the level of training and awareness remained “startlingly low”. The survey also found that 41% of respondents, mainly CIOs and chief information security officers, reported meeting with their board of directors and audit committees less than once a year or not at all. Ernst & Young said this posed a significant gap in communication between security and the business.

Outsourcing was another potential security problem for the business, with just 17% of respondents requesting independent third-party reviews of their supplier’s security arrangements, which could impact on their own IT systems and overall business.

CATEGORIES: 1outsourcing, 1survey, 1trends, 1compliance, 1sox, 15thDirective
Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home