An IT Governance Institute survey of C-level executives indicates that security and compliance issues have moved to the bottom of the pile, as far as IT is concerned.
The study is the result of about 700 interviews with CEOs and CIOs in 22 countries. According to their responses, staffing and ROI issues rank at the top, while IT transparency issues and outsourcing concerns are in the middle of the pack.
According to the accompanying report published by the institute, these results may be a surprising, but could “reflect the results of the recent significant efforts put into IT security projects and compliance programmes (e.g. Sarbanes-Oxley in the U.S.).”
In other words, enterprises have already expended money and effort in creating IT solutions and may be satisfied that they are addressing security and compliance concerns. Another explanation may be the group that was targeted by the survey, said Michael Cangemi, editor-in-chief of IS Control Journal and a past president of the Information Systems and Control Association.
“Those guys are more worried about the business, they’re more worried about return on investment. That’s why staffing comes up (as a top priority): they probably can’t find the people,” he said. “That’s what most business leaders are concerned about; making money.”
But governance and compliance issues should be top of mind within any organization, said Barry Saunders, an audit associate in the Auditor General’s office in Winnipeg and chair of the Winnipeg chapter of ISACA.
“Governance is something that needs to come from the top. Somebody on the board needs to say, ‘This is the way it has to be done,’ and it has to filter all the way down to the janitor, basically,” he said.
He added that, ideally, governance should come from a specialist on the board of directors and be filtered through the CEO and down through the organization. “The board has to be the one that drives it,” he said.
The lack of knowledgeable board members was what led to the corporate meltdowns and accounting scandals of recent years, he said.
Saunders added that he wasn’t surprised security is low on the list of C-level concerns because, paradoxically, it has become such a buzzword in recent years. The main issue isn’t deploying security solutions, he said, but the need to keep staff vigilant.
“Most people are more accepting of security. They’re no longer writing their passwords and putting them on their terminals,” said Saunders. “Part of that’s an educational process. It has to part of any security program. You can have all the best controls in the world, but if people aren’t following them, the more trouble you’re going to get into.”