A lack of security experts is damaging the ability of companies to meet new compliance laws, according to the London School of Economics (LSE).
The McAfee-sponsored report, conducted by Dr Jonathan Liebenau at the LSE's Department of Management, concludes that difficulties in hiring and retaining the right staff were exacerbating a range of risks. Chief amongst these were the reputational risks associated with data leaks and theft.
After conducting interviews with IT directors and CSOs in large financial services organisations in Europe, Asia and the US, Liebenau’s team found that by mid-2006, reported security breaches had reached between eight and 10 per week in the US, compromising 94 million records containing sensitive personal data.
Businesses above a certain size in a majority of US states now have a legal responsibility to report data compromise as soon as it is discovered, so it was impossible for companies to avoid the fall-out from such breaches.
"The mandatory reporting of security breaches will have far-reaching implications on a business' reputation management," said Dr Liebenau. "The practice of reporting breaches, now commonplace in the US and quickly spreading to several regions in the world, will impact the way individuals and organisations think about information handling in general and reputation protection in particular."
Such headline worries risked taking resources from other less public security problems, meaning that compliance could actually increase security woes in the long term. Sensible assessment of how to balance such issues depended on having the right people in place, and these were now in very short supply. Consequently, companies found themselves over-dependant on a small pool of expertise.
The report found that the people who formulated security policies were often different from those who managed and maintained them, leading to a disconnect between aspiration and reality. Evaluating such problems was difficult because of a lack of good benchmarks.