A new poll places theft of information and regulatory compliance at the top of chief security officers’ (CSOs’) agenda, as computer viruses and unauthorised access are less of a worry.

Research just published by Cisco has found that, while 38% of respondents place theft of information as their number one concern and 33% focus on regulatory compliance, board-level buy-in remains elusive.

The second annual poll of 100 information technology (IT) security chiefs across large UK enterprises by market researcher Vanson Bourne found that revealed viruses, the prime concern of 55% of respondents in 2006, were cited by just 27% this year. Fewer than a third of the respondents voiced worries about unauthorised access to data in 2007, compared with more than half in 2006.

The poll shows organisations are responding assertively to rapid changes in the security landscape. Almost two-thirds (60%) describe their organisations as “more secure” or “much more secure” compared with a year ago.

But the survey also points to increased concern over the risks posed from within the organisation. Forty-three percent of respondents (compared with 33% in 2006) said they were more concerned with internal threats, such as staff passing on confidential information or stealing intellectual property.

However, only half of respondents (52%, compared with 54% in 2006) said that IT security was a board-level issue at their organisation. In addition, a significant minority – one in 10 – still only takes a reactive approach to security management. And none of the respondents described themselves as “extremely concerned” about the security of voice over internet protocol (VoIP) or unified communications systems, although half (49%) agreed that security should be a consideration when implementing IP-based communications.

“This survey shows just how far the information security market has progressed over the past year,” said Paul King, senior security advisor for Cisco. But he added: “Outside government or financial sectors, the imperative to discuss information security at board level simply is not strong enough.

"Executives themselves may simply expect IT infrastructure to be secure by default, and are often surprised when vulnerabilities emerge. Organisations need to realise that security needs to start at the top of the organisation and it should be seen as everyone’s responsibility: giving employees regular training and encouraging a positive security culture across the organisation. From an implementation perspective, this involves defence-in-depth and building security features into every device on the network – from PCs and IP handsets to servers, routers and even applications themselves.”