Survey: Regulatory compliance drives IT security

Regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to the results of a survey released Wednesday by Ernst & Young.

At the same time, the survey said, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.

“The sheer number of regulations and the consequences of not complying have brought information security into the boardroom,” the report said. “Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business.”

In Ernst & Young’s survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.

The results are surprising, given that 2005 has been an especially busy year for worms and viruses, said Rudy Bakalov, senior manager of security and technology solutions at Ernst & Young. “We are very happy that compliance with regulations has become such a high priority,” Bakalov said. Even so, most information security organizations are continuing to focus on tactical issues rather than strategic ones, he said.

For example, nearly 90 percent of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns, he said. Only 41 percent are also reorganizing their information security function and their architectures as part of the compliance process, he said.

“It doesn’t surprise me that compliance and regulations are overtaking worms and viruses,” John Meakin, group head of information security at Standard Chartered Bank in London, said via e-mail. “As the focus on general corporate governance and maturity of overall risk management increases, security professionals are being asked not just about the headline issues, but about the broad picture of information security control.

“It isn’t really that [the trend] is throwing up areas of control that we security pros have been overlooking or been unable to solve,” he said. Rather, it’s about being asked “to provide detailed measurement and demonstrable evidence of the completeness and effectiveness of the protection provided to the corporate world.”

Kim Milford, information security manager at the University of Rochester in New York, said she also sees a trend toward more compliance spending in 2006. “I think this is a great opportunity to rethink security spending, because it shifts the focus from the reactive work of incident response to more proactive controls and helps us to focus on best practices,” she said.

The survey results highlight the growing pressure regulations are putting on information security organizations, IT managers said. At the same time, it also underscores a growing trend by many to use compliance as an excuse for all security spending, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of network connectivity services to financial firms.

“Compliance has become a big stick” that information security organizations are increasingly using to justify technology investments, Hession said.

Often, technologies that need to be implemented anyway are being described as compliance-related to get executive buy-in, Hession said. “It’s not like all of a sudden there’s a whole bunch of products that I need to implement because of compliance,” he said.

Bellevue, Wash.-based Charter Bank has implemented several new security technologies over the past few years as part of a continuing bid to secure its networks against emerging threats, said Tom Robertson, senior vice president of IT at the bank. While the investments allow the bank to comply with regulations, that has not been the primary driver, he said.

He agreed with Hession. “Many [firms] are using the regulatory hammer to get executive buy-in” for security investments, Robertson said.

In a sense, regulatory compliance is increasingly being wielded by information security organizations in the same way companies used the Y2k crisis to justify IT spending, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. As a result, investments that are earmarked as being compliance-related “are often being used to buy the same things that were bought before,” he said.

The two areas where compliance-related efforts have resulted in increased spending are security event management tools and identity management and password management technologies, he said. “But in general, the increased investments in these areas comes at the expense of spending in other areas,” he said.

As a result, the overall spending on information security itself has not increased significantly, Pescatore said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now