3 November 2005 Regulatory compliance is the principle reason companies invest in information security technology, not infrastructure vulnerabilities that might impair business operations, according to research published this week.

Over two thirds of respondents to corporate consultants Ernst & Young’s 8th annual Global Information Security Survey – representatives of 1,300 global organisations from private and public sectors – cited compliance with regulations such as the EU’s Eighth Directive and the US Sarbanes-Oxley Act as the primary driver of IT security.

The sheer weight of regulation to which businesses must comply, and the gravity of the consequences of non-compliance, has made IT security a board-level issue. But the authors of the research complained that security spending is not seen as a strategic function.

“Compliance is proving to be more of a distraction than a catalyst for information security becoming strategically aligned within organisations,” said Edwin Bennett, global director of technology and security risk services at Ernst &Young.

Neglected areas of security concern include mobile technology and wireless connectivity. Fewer than 50% of respondent organisations train employees to combat the security risks associated with mobile devices, and fewer still train staff how to deal with security incidents when they arise.

Bennett urged organisations to look beyond their own infrastructures in ensuring information security, and to be aware of the security provisions of third parties with whom they have relationships.

“All organisations need to consider the security of their business partners, outsourcing arrangements, suppliers and customers,” he said. “Otherwise the value created by these arrangements can quickly diminish due to security, privacy or identity breaches.”