Information security too important for IT

Company directors still view security as a sunk cost, despite it being an issue that is too important to leave to technical specialists or junior managers.

A new report from Henley Management College has found that few companies are giving security the board level attention it deserves, even though it is becoming an increasingly important corporate issue.

David Birchall, director of research at Henley, explained that the report highlighted a gap between board members responsible for reporting business risk, and the people to whom they delegate IT security responsibility.

"It is unfair to leave the responsibility of information security to the IT department because it is a much broader issue than putting in place IT security measures," he said.

"It is also about getting people to behave in an ethical way. There needs to be much more of a cross-discipline approach and the board needs to promote this more than they do already."

Only 28 per cent of UK businesses make their employees aware of their roles in business security, according to Department of Trade and Industry figures published last year.

But finding suitably qualified staff to head up the information security function is a headache for many companies, said Birchall.

"It needs to be someone who understands risk, business and technology," he explained. "It's a challenge. The language IT people use is a barrier to working with other departments."

The study indicated that the right strategy can benefit companies by offering a competitive edge and having a positive impact on the internal cultural environment.

"Information security is still seen as a cost rather than an opportunity but if companies have good secure systems, or are responsive in putting things right, they can promote themselves," said Birchall.

"But companies aren't prepared to do that because they see it as setting themselves up to be knocked down."

The report suggested several key questions boards should be asking themselves about their security strategies, but warned that the answers will not always be simple and may require the management of conflicting priorities.

These include complex trade-offs between procedural controls and creativity, top-down control and trust, reputation and bottom line.