Compliance with regulations and best-practice guidelines has taken the lead in driving information security, according to the latest Global Information Security Survey by Ernst & Young.
This was the chief finding of the 2005 survey that collated responses from 1 300 organisations in 55 countries, with only 7% of the sample representing US companies.
"Worms and viruses have taken a back seat for the first time since the inception of the survey," said Shaun Nel, Ernst & Young`s information systems assurance and advisory senior manager, at a presentation of the results this morning.
He said the results clearly indicate the growing importance of compliance to regulatory frameworks such as Sarbanes-Oxley, IT Infrastructure Library and Cobit, not only in the US and Europe, but also in SA and other parts of the world where organisations are adopting the best-practice guidelines of these frameworks.
Although compliance is driving information security, Nel said organisations are not using the opportunity to redefine the way they are working.
In a brief overview of the survey findings, Nel said growing global interdependency is another fact that needs to be considered going forward.
"Organisations can no longer be concerned with the protection of only their own information, but need to be concerned with how they deal with third parties, vendors and partners, especially when it comes to managing risk," he said.
Emerging technologies present another important challenge. Nel said business demands are driving the adoption of new technologies without organisations taking enough time to understand the security risks and adapting the way they protect information accordingly.
Nel said there is a greater alignment between information security and the way it is delivered with business initiatives the organisations are trying to achieve.
"Last year, many organisations rated their information security functions as relatively ineffective in meeting the demand, but we are seeing that beginning to change, driven by the compliance factor because business is driving the security agenda to a greater extent."
In summary, Nel said organisations must use their compliance efforts as an opportunity to rethink and redefine how the information security function is going to work in the next three to five years. They also need to realise the importance of defining third-party relationships clearly in terms of security, and standardise operations to free up capacity to focus on future strategy.
"For the first time in history, rapidly growing numbers of people have choices and will have to manage themselves, but are largely unprepared for that."
Share