IT security policy is too far removed from business strategy, according to a new report from consultants Ernst & Young.

The Ernst & Young Global Information Security Survey, which quizzed executives from nearly 1,300 organisation from around the world, found that the security team never met with the board of directors in nearly a third of organisations.

Furthermore, only 50% of organisations give their executives any training on what the impact of security issues on the business could be.

More positively, the IT security capabilities of organisations are becoming increasingly integrated into risk management functions. There was ‘some of level of integration’ between the two departments in 82% of respondent organisations.

But that integration may be making it harder for IT security departments to align to business strategy, said Richard Brown, head of Ernst & Young’s Technology Security and Risk Services practice.

“Many information security functions are struggling to balance their traditional risk management roles with a growing focus on Information Security being a contributor to performance improvement; a struggle that is exacerbated when information security is not closely connected to the strategic decision-making process,” said Brown.

The survey identified data protection as a growing driver for IT security investment, with 58% placing it among their top three drivers compared to 41% in 2006.

Further reading

Download the report [pdf]

Book review - IT Risk MIT research fellow and Gartner analyst present a framework for strategic IT security

Find more stories in the Security & Continuity Briefing Room