Security is not on the board

Boards are not talking to security officers

Companies are not including information security in their executive decision-making processes, leaving them exposed to the threats, according to the Ernst & Young Global Information Security Survey.

Nearly one-third (32 per cent) of security officers never meet with the board or audit committee, and more than a quarter (26 per cent ) do not report to senior management on information security compliance or incidents.

Companies need to tighten up their reporting processes, according to Richard Brown, head of Technology Security and Risk Services at Ernst & Young.

"Recent incidents in the UK have done much to highlight the lack of protection of information assets held by organisations," said Brown.

"Information security has never been so high up on the corporate and private individuals' agenda, which means it has to move forward on the business, and not just the IT agenda."

But information security is becoming more integrated into overall risk management of companies, says the survey. Four out of five (82 per cent) of its 1300 respondents reported some level of communication with risk management departments.

Organisations that have fully linked information security into their overall approach to risk have nearly doubled since last year, from 15 per cent to 29 per cent.