IT security thought to be 'not a CEO concern'

Senior management 'neither know themselves or their enemies very well' when it comes to IT security, according to Ernst & Young

A "failure to invest [in] and failure to enforce" information technology safety measures will lead to an increase in organisational security breaches around the world, according to advisory and research body Ernst & Young.

The body said in its Global Information Security Survey 2004 "quite a few organisations aren't 'doing security right'".

Ernst & Young said its survey -- which involved interviews with more than 1,230 organisations in 51 countries -- found that "lack of security awareness" amongst employees was the top rated obstacle by the majority of organisations.

However, only 28 percent of the respondents listed "security training or awareness" as a number one initiative for 2004.

"The will to commit resources… is not reflected in outward action," states the report, as "no amount of technology can reduce the human dimension." According to the survey, "persistent gaps" continue to emerge in the level of diligence and the resources purchased by a company to ensure a minimum level security, "particularly in security awareness and training".

"Management is hesitant to assign priority to human capital but will readily commit to technology purchases," states the survey, which also reveals that less than half of organisations globally provide employees with ongoing training in security and controls.

Internal threats are also under-emphasised as an IT security threat, according to the survey, which states that although organisations may focus on external threats such as hackers and viruses "the most lethal threats are those originating from within".

"The fact that internal incidents don’t garner media scrutiny isn’t because they don’t happen," the survey said.

According to the results, organisations rated "employee misconduct involving information systems" as a "distant second" behind external virus threats as the biggest security concern in an organisation.

"We expect that incidents – particularly internal ones – will proliferate unless senior management makes information security a core management and governance function," stated the survey.

The survey found that close to 70 percent of the responding organisations' board of directors did not receive quarterly reports on the status of company information security, while only 20 percent of respondents agreed that information technology security was a CEO-level concern.

The lack of organisations to monitor security with outsourcers is also becoming an "ever-growing risk", according to the survey, which states that "senior management is more trusting than prudent".

"They [management] may feel, wrongly so, that their organisation is adequately protected, when in reality their significant technology investments are undermined by any number of process flaws," it said.

Around 80 percent of respondents failed to conduct regular security assessments of outsourcers, according to the survey, to ensure that security regulations are complied with. The survey also revealed that 70 percent of organisations worldwide did not regularly assess outsourcers' compliance with the organisation's policy on information technology security.

The survey stated that many of the responding organisations should not feel at ease with their level of information technology protection.

"The number of unaddressed security areas suggests that many organisations should not feel comfortable and secure, since they neither know themselves or their enemies very well," it said.