A lack of security experts is damaging the ability of companies to meet new compliance laws, according to the London School of Economics (LSE).
The McAfee-sponsored report, conducted by Dr Jonathan Liebenau at the LSE's Department of Management, concludes that difficulties in hiring and retaining the right staff were exacerbating a range of risks. Chief amongst these were the reputational risks associated with data leaks and theft.
After conducting interviews with IT directors and chief security officers (CSOs )in large financial services organisations in Europe, Asia and the US, the study found that by mid-2006, reported security breaches had reached between eight and 10 per week in the US, compromising 94 million records containing sensitive personal data since reporting breaches became mandatory for companies over a certain size.
"The practice of reporting breaches, now commonplace in the US and quickly spreading to several regions in the world, will impact the way individuals and organisations think about information handling in general and reputation protection in particular," said Dr Liebenau.
Sensible assessment of how to balance such issues depended on having the right people in place, and these were now in very short supply. Consequently, companies found themselves over-dependant on a small pool of expertise.
The report found that the people who formulated security policies were often different from those who managed and maintained them, leading to a disconnect between strategy and reality. Evaluating such problems was difficult because of a lack of good benchmarks.