"It doesn't surprise me that compliance and regulations are overtaking worms and viruses," John Meakin, group head of information security at Standard Chartered Bank in London, said via e-mail. "As the focus on general corporate governance and maturity of overall risk management increases, security professionals are being asked not just about the headline issues, but about the broad picture of information security control.

"It isn't really that [the trend] is throwing up areas of control that we security pros have been overlooking or been unable to solve," he said. Rather, it's about being asked "to provide detailed measurement and demonstrable evidence of the completeness and effectiveness of the protection provided to the corporate world."

Kim Milford, information security manager at the University of Rochester in New York, said she also sees a trend toward more compliance spending in 2006. "I think this is a great opportunity to rethink security spending, because it shifts the focus from the reactive work of incident response to more proactive controls and helps us to focus on best practices," she said.

The survey results highlight the growing pressure regulations are putting on information security organizations, IT managers said. At the same time, it also underscores a growing trend by many to use compliance as an excuse for all security spending, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of network connectivity services to financial firms.

"Compliance has become a big stick" that information security organizations are increasingly using to justify technology investments, Hession said.