Worms and viruses are becoming more pervasive, but surprisingly they are no longer the main concern of IT managers. For the first time compliance with regulations has become the number one issue for information security, according to an annual global information security survey by professional services provider Ernst & Young.
Despite the increased awareness of regulatory compliance, information security as a function is not becoming a natural part of organisation’s strategy, says the report.
“The gap continues to widen between the growing risks brought on by rapid changes in the global business environment and what information security is doing to address those risks,” says Susan Steedman, director of enterprise risk and improvement services at Ernst & Young.
More than 1300 companies, governments and non-profit organisations in 55 countries participated in the survey. Two thirds responded that compliance with regulations such as Sarbanes-Oxley or the EU’s 8th Directive is the most important driver of information security.
Steedman says that other concerns for IT managers today include the lack of experienced security specialists and new technology that promotes mobile workers.
“Because the majority of organisations have built their security system without the mobile component to it, the growing mobile technology is a change they need to get to grips with.”
The survey shows that few organisations actively manage third party security risks. More and more organisations are trading information electronically with clients and suppliers, but security management doesn’t keep track of that extensive use.
One fifth of survey respondents do not address the issue of vendor risk management at all, and one third say they have only informal procedures in place to do so.
The survey also reveals that less than half of organisations provide or plan user training, although over half of the respondents say their greatest challenge to successfully managing information security is finding well-trained IT staff. Fewer still train their staff on responding to security incidents.
“There seems to be a disconnection between business activity and the way information security is being carried out and that is a big concern,” Steedman says.