Regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to the results of a survey released Wednesday by Ernst & Young.
At the same time, the survey said, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.
“The sheer number of regulations and the consequences of not complying have brought information security into the boardroom,” the report said. “Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business.”
In Ernst & Young’s survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.
The results are surprising, given that 2005 has been an especially busy year for worms and viruses, said Rudy Bakalov, senior manager of security and technology solutions at Ernst & Young. “We are very happy that compliance with regulations has become such a high priority,” Bakalov said. Even so, most information security organizations are continuing to focus on tactical issues rather than strategic ones, he said.
For example, nearly 90 percent of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns, he said. Only 41 percent are also reorganizing their information security function and their architectures as part of the compliance process, he said.
“It doesn’t surprise me that compliance and regulations are overtaking worms and viruses,” John Meakin, group head of information security at Standard Chartered Bank in London, said via e-mail. “As the focus on general corporate governance and maturity of overall risk management increases, security professionals are being asked not just about the headline issues, but about the broad picture of information security control.
“It isn’t really that [the trend] is throwing up areas of control that we security pros have been overlooking or been unable to solve,” he said. Rather, it’s about being asked “to provide detailed measurement and demonstrable evidence of the completeness and effectiveness of the protection provided to the corporate world.”
Kim Milford, information security manager at the University of Rochester in New York, said she also sees a trend toward more compliance spending in 2006. “I think this is a great opportunity to rethink security spending, because it shifts the focus from the reactive work of incident response to more proactive controls and helps us to focus on best practices,” she said.
The survey results highlight the growing pressure regulations are putting on information security organizations, IT managers said. At the same time, it also underscores a growing trend by many to use compliance as an excuse for all security spending, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of network connectivity services to financial firms.
“Compliance has become a big stick” that information security organizations are increasingly using to justify technology investments, Hession said.
Often, technologies that need to be implemented anyway are being described as compliance-related to get executive buy-in, Hession said. “It’s not like all of a sudden there’s a whole bunch of products that I need to implement because of compliance,” he said.
Bellevue, Wash.-based Charter Bank has implemented several new security technologies over the past few years as part of a continuing bid to secure its networks against emerging threats, said Tom Robertson, senior vice president of IT at the bank. While the investments allow the bank to comply with regulations, that has not been the primary driver, he said.
He agreed with Hession. “Many [firms] are using the regulatory hammer to get executive buy-in” for security investments, Robertson said.
In a sense, regulatory compliance is increasingly being wielded by information security organizations in the same way companies used the Y2k crisis to justify IT spending, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. As a result, investments that are earmarked as being compliance-related “are often being used to buy the same things that were bought before,” he said.
The two areas where compliance-related efforts have resulted in increased spending are security event management tools and identity management and password management technologies, he said. “But in general, the increased investments in these areas comes at the expense of spending in other areas,” he said.
As a result, the overall spending on information security itself has not increased significantly, Pescatore said.