Infosecurity teams still isolated

Infosecurity teams still isolated

New research from Ernst & Young finds many security teams are still struggling to integrate with the business

Information security teams are still isolated from the decision-making process in organisations and many are struggling to recruit the right level of experienced professionals, according to the latest Global Information Security Survey from consultancy Ernst & Young released today.

The annual survey, which is based on interviews with executives from around 1300 organistions, found that nearly a third of firms' infosecurity teams never meet with their board and meetings with IT are three times more likely than they are with business leaders.

However, there is some "light at the end of the tunnel" according to Ernst & Young's head of information security for northern Europe, Seamus Reilly. "Most firms are looking at enterprise risk and operational risk and bringing the, together and information security is part of that risk," he explained. " Four out of five do some integration of information security into risk management and 29 percent have fully integrated."

Reilly added that many IT security teams are in a dilemma in that although nearly half recognise that helping the business meet its objectives is one of their most important drivers, they can't do this because they are not integrated enough into the risk management function.

"If you're not in the appropriate place in an organisation, how can you make a contribution to the delivery of business objectives," he argued.

The report also found that many firms are struggling to attract enough skilled information security professionals, as the role of the function expands. Over half of respondents rated this as their number one challenge in delivering strategic information security projects.

To overcome this problem, Reilly advised firms to be more formal about identifying skills gaps and putting appropriate training programs in place, as they do for other areas of the business. He added that co-sourcing is also increasingly being seen as a partial solution to this problem.

"But if we're going to leap across the information security - business divide information security teams need to train their executive management [in the impact of security issues on the organisation]," he argued. "With all the recent incidents, when are we ever going to have a better occasion?"

Andrew Kellett of analyst firm Butler Group argued that the continuing isolation of IT security teams from the decision-making process was unsurprising, but added that the increased instances of data loss had pushed risk management and information security's place within this to the fore.

Kellett also argued that the lack of skilled security professionals may be due to its being not a clearly defined function in all but the largest organisations. "Everyone talks about the CSO with his team of people, but most are still fire-fighting," he added. "Unless you work in a very large organisation there is no career structure – [security] is probably not something you think of when you move into IT."