The 10th annual Ernst and Young Global Information Security Survey makes interesting reading.
The report draws particular attention to the growing integration of information security into enterprise risk management, an area in which physical and operational security practitioners should already be very active.
Unlike physical security, however, the key driver for infosec integration is regulatory compliance, as the following extract from the report explains:
A powerful message from this year’s survey is the proportion of respondents who acknowledge they have partially or fully integrated their information security functions with risk management operations (82%, compared with 40% in 2005 and 43% in 2006) with regulatory compliance as a major integration stimulus, the proportion of organisations that have fully integrated both functions nearly doubled, from 15% in 2006 to 29% in 2007.
Is this an indicator that information security will no longer be a part of the IT function? Ernst and Young don’t think so. Rather, this result substantiates a growing trend to integrate the information security function along strategic/governance lines for regulatory compliance and architectural lines within the IT function.