The survey, which asked 218 IT managers for their views on compliance and risk management, also revealed a lack of commitment to information security across the UK’s boardrooms. Forty per cent said that their companies only paid ‘lip-service’ to security standards to gain compliance status.
Commissioned by software vendor NetIQ, the survey found that 29% of security managers felt that their company’s security policies were not closely aligned with either the business objectives or areas of risk within their organisation.
Ulrich Weigel, NetIQ’s Director of Security Products, said that IT and security managers must ensure that the policies and procedures are relevant and integrated with their company’s business and objectives.
“Successful companies are beginning to realise that security management is about more than buying a bunch of different security technologies and deploying them,” he said.
“It is imperative that they are able to communicate at senior board level that security is no longer just a cost item on the P&L, but that it can actually differentiate them from their competitors and win them new business.”
In a recent report, industry analyst Thomas Raschke said: “CISOs [chief information security officers] have traditionally been IT people focused on technology – but the job is shifting to focus more on business risk management.
“We are currently in a time of transition, one that can make CISOs with less business-side experience acutely uncomfortable. In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business.”
