More than half (51%) of all UK firms have not implemented the security processes to comply with legislative directives such as PCI and MiFID, says a report.
Many UK financial firms are not ready to meet compliance goals and IT staff are sceptical about the understanding of IT security amongst the board. These are the key findings of a survey of 218 security and IT managers from financial firms about their company’s readiness and views on compliance and risk management found. In fact, 40% claimed that the board were merely paying lip-service to IT security to gain compliance status.
The survey, conducted by EMedia on behalf of NetIQ, said there is a lack of co-ordination between the IT organisation and the rest of the business. Almost a third, 29%, of IT security managers said their company’s security policies were not closely aligned with its business objectives or areas of risk within their organisation. Further, 57% of them claimed that internal staff didn’t understand the legislation that affected their business.
Industry analyst Thomas Raschke of Forrester Research echoed the finding that there is a lack of understanding between IT and the rest of the board and user community.
In the recent Forrester report, ‘What's top of mind for European security managers?, Raschke says the focus of chief security officers (CSOs) and chief information security officers (CISOs) has shifted from technology to business risk management.
Raschke said: "We are currently in a time of transition, one that can make CISOs with less business-side experience acutely uncomfortable. In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business."
Ulrich Weigel, director of security products for NetIQ, said: "This reinforces the need for the CSO to be not only a technologist but also a good communicator, who is able to interact with people outside of the IT department. We see many misconceptions about the importance of risk management in the market place. Successful companies are beginning to realise that security management is about more than buying a bunch of different security technologies and deploying them. IT and security managers must ensure that the policies and procedures are relevant and integrated with their company’s business and objectives."
Weigel added CSOs must communicate at a senior board level that security is no longer just a cost item because it can "differentiate them from competitors and win them new business".