Firms are failing to implement holistic security strategies and as a function it remains isolated from executive management and the strategic decision-making process.
Nearly one-third (32%) of security leaders say they never meet with their board or audit committee, and over a quarter admit they not reporting to business leaders on information security compliance or incidents according to the tenth annual Global Information Security survey.
Richard Brown, head of technology security and risk services at Ernst & Young, said information security had never been so high up on the corporate and private individual’s agenda, which meant it had to move forward “on the business, and not just the IT agenda."
The survey found that information security is becoming more integrated into overall risk management of companies with four out of five (82%) respondents reporting at least some levels of integration. Organisations that have fully integrated information security into their overall risk management approach have nearly doubled since last year rose from 15% to 29%.
Privacy and data protection had increased significantly as drivers of information security. Fifty-eight percent of this year’s respondents placed privacy and data protection in the top three drivers, up from 41% a year ago.
And although compliance-based initiatives continue to be the primary driver of information security, nearly half (45%) of the survey respondents ranked helping the business to meet its overall objectives among the top three drivers of information security.
But the survey found the greatest challenge to delivering information security projects was the availability of experienced and trained resources.
More than half of respondents indicated that, as the role of information security expands within organisations, the lack of experienced and skilled resources was the number-one challenge to delivering strategic information security projects.
Ernst & Young said that today the changing face of technology was creating increasing risks. Removable media such as USB memory sticks and CDs which can hold vast amounts of valuable corporate data, and mobile devices such as PDAs and smart phones were the top security concerns, it said.
Brown said business leaders needed to work with their risk and security teams to “clearly understand their changing business risks through comprehensive and timely risk assessment. This can then be responded to with the right processes and procedures, supported by awareness and compliance activities across the organisation.
See also Users Ignore Security