Information security teams are still isolated from the decision-making process in organisations and many are struggling to recruit the right level of experienced professionals, according to the latest Global Information Security Survey from consultancy Ernst & Young released today.
The annual survey, which is based on interviews with executives from around 1300 organistions, found that nearly a third of firms' infosecurity teams never meet with their board and meetings with IT are three times more likely than they are with business leaders.
However, there is some "light at the end of the tunnel" according to Ernst & Young's head of information security for northern Europe, Seamus Reilly. "Most firms are looking at enterprise risk and operational risk and bringing the, together and information security is part of that risk," he explained. " Four out of five do some integration of information security into risk management and 29 percent have fully integrated."
Reilly added that many IT security teams are in a dilemma in that although nearly half recognise that helping the business meet its objectives is one of their most important drivers, they can't do this because they are not integrated enough into the risk management function.
"If you're not in the appropriate place in an organisation, how can you make a contribution to the delivery of business objectives," he argued.
The report also found that many firms are struggling to attract enough skilled information security professionals, as the role of the function expands. Over half of respondents rated this as their number one challenge in delivering strategic information security projects.
To overcome this problem, Reilly advised firms to be more formal about identifying skills gaps and putting appropriate training programs in place, as they do for other areas of the business. He added that co-sourcing is also increasingly being seen as a partial solution to this problem.
"But if we're going to leap across the information security - business divide information security teams need to train their executive management [in the impact of security issues on the organisation]," he argued. "With all the recent incidents, when are we ever going to have a better occasion?"
But John Colley, European managing director of certifications organisation ISC2, argued that more investment is being made to train security staff. "Many organisations are dealing with the problem of finding experienced and trained resources, as highlighted in the survey, by employing less experienced staff and investing in training and education to get them up to speed,” he added.
Firms are also educating executives and staff on the impact of security issues, he explained.
“As a result we have seen a gradual shift in responsibility for securing information assets from the chief information officer (CIO) into other areas of senior management and business, including the chief executive officer, chief financial officer, chief risk officer and chief information security officer, as well as legal and compliance departments," said Colley.
Andrew Kellett of analyst firm Butler Group argued that the continuing isolation of IT security teams from the decision-making process was unsurprising, but added that the increased instances of data loss had pushed risk management and information security's place within this to the fore.
Kellett also argued that the lack of skilled security professionals may be due to its being not a clearly defined function in all but the largest organisations. "Everyone talks about the CSO with his team of people, but most are still fire-fighting," he added. "Unless you work in a very large organisation there is no career structure – [security] is probably not something you think of when you move into IT."
Infosecurity teams still isolated
By Phil Muncaster on Dec 12, 2007 10:44AM