Compliance brings IT security to the board table

Companies are choosing to spend more money this year on compliance regulations, such as Sarbanes-Oxley, in preference to combating viruses and worms.

These are the findings from the accounting firm Ernst and Young's annual security report, which said the threat of going to jail - if found guilty of non-compliance - has made information security a boardroom subject.

Nearly two-thirds of 1,300 survey respondents (61 per cent) cited compliance as a top-three primary driver of information security but worms and viruses accounted for only 53 per cent of answers. Meeting business objectives was ranked third (49 per cent).

In a statement, Edwin Bennett, global director of security risk services for the firm, said: "Compliance is proving to be more of a distraction than a catalyst for information security becoming aligned within organisations. One might assume that with the attention information security is receiving due to regulatory compliance, organisations' postures are improving. Unfortunately, this is not happening on a consistent basis."

Two-thirds (62 per cent) said internal control procedures are having the greatest impact on their organisations, followed by privacy concerns (55 per cent). Respondents said they expect requirements to use cryptography to increase from 15 per cent to 20 per cent next year.

Technologies such as voice over IP (VoIP) and open source were found to be a significant security concern in fewer than 20 per cent of firms.

The survey found that the declining cost of wireless connectivity is driving the adoption of mobile technology.

But Bennett added: "Less than half of organisations make provision for general users of information to be trained or made aware of the impact of information security issues with these technologies and fewer still receive training on responding to security incidents."