The report from Ernst & Young surveyed 1,300 public and private sector organizations in 55 countries and revealed that for the first time complying with regulatory initiatives such as Sarbanes-Oxley and the European Commission 8th Directive had become more important to information security than the traditional concerns around viruses and worms.
Nearly two-thirds of respondents cited rules and regulations as the focus of their information security practices. This is compared to only nearly a third who thought worms and viruses would have an effect on their organization.
The authors of the report said the sheer number of regulations and the consequences of not complying with them have escalated information security onto the boardroom agenda.
Jan Babiak, head of Information Security Advisory Services at Ernst & Young said, "This year's research shows that not only is regulation the new primary driver for information security investment, the pressure to comply with the huge burden created by industry regulation such as Sarbanes-Oxley and the 8th Directive has placed information security firmly in the boardroom."
Babiak said it was disappointing that so many senior executives were "missing the opportunity to use compliance as a catalyst to leverage this investment and more importantly embed information security as an integral part of their strategic initiatives."
The survey revealed that for respondents once parts of the business were outsourced they tended to fall off the security radar.
Only 17 percent of respondents required independent third party reviews of their vendor and one-fifth of respondents avoided dealing with vendor risk management at all; one-third reported they had only informal procedures in place to do so.
"It is no longer enough for management to consider just their own information security issues and threats," Babiak said. "Today organizations' interdependencies are fundamental to each other's business. Plainly put, a security breach in a third party partner could bring down your organization."