Integralis questioned 200 representatives from both the public and private sector and found that in 76% of cases overall responsibility for security implementation was still with the IT department. Only 11% of respondents said that their Board of Directors took responsibility for IT security, while 6% pointed to the HR department as being in charge of this issue.
The findings echo research carried out by the company in 2003.
"It's incredible that two years on, security risk management still isn't the boardroom issue that it should be," said Graham Jones, Integralis Director of Northern Europe.
"We're still seeing many organisations lacking the level of board commitment needed to tackle vulnerabilities at the deepest layers. The board do not appear to understand the far reaching brand, reputation and legal implications a security breach can have," he added.
The CBI/QinetiQ Business Security Survey 2004 found that 57% of companies are particularly worried about IT and network security, but, according to Integralis, the fact that the majority of its respondents still put internet speed higher in priority than corporate security shows that the message doesn't appear to be getting through 'on the ground'. This, says the firm, points to a lack of clear direction from the top.
"It is unlikely that an IT manager will know who's downloading what software at their desks, exchanging illicit and/or confidential information, chatting all day via a web phone or MSN, or be able to understand, never mind have the bandwidth to maintain, complex multi-layer security across multiple sites. Security should not start and end with the IT department," warned Jones.
