The survey found that over two thirds of the 1,300 respondents from 55 countries in the world (including South Africa) said that compliance with regulations was the primary driver for IS initiatives in business.
According to Shaun Nel, Ernst & Young's senior manager for information systems assurance and advisory services, the survey highlighted four major themes.
He says that the survey found that companies seem to be caught in a compliance paradox, where there is a driving force behind compliance, but that the vast majority of companies are not using the opportunity to proactively invest in IS.
"For example," Nel says, "just under 90 percent of respondents who are implementing IS measures, as a result of having to comply with regulations, focus on creating new policies and procedures."
In stark contrast, just over 40 percent of companies surveyed are using the compliance with internal control regulations as an opportunity to reorganize their IS function or to make changes to their existing security architecture.
Most disturbing was the fact that over 80 percent of surveyed companies rated complying with corporate policies and procedures ahead of enabling strategic initiatives and service or product launch and delivery.
The survey also found that, due to globalization, organizations no longer have their own IS risks to deal with.
"Business boundaries are crumbling," says Nel, "and IS goes further than just securing one's own business. Finally protecting customers is an issue for attention."
However, with growing international interdependency, many organizations are still not paying adequate attention to vendor risk management. Two fifths of respondents to the survey either had no formal, or informal, process in place to assess vendor risk.
But the weak links are everywhere, Nel says, with resourcing playing a major part in organizations' inability to adopt to IS standards and become certified in them.
As business demands push the adoption of emerging technologies, security risks are on the increase, with the sheer number of portable and mobile technologies being plugged in and out of corporate networks on a daily basis.
End-users are also becoming more tech-savvy as time goes on, which is seeing the emergence of personal responsibility at end-user level. Amongst the top concerns for businesses are mobile computing, removable data and wireless networks. Interestingly enough, open source software (OSS) is categorized as a possible concern, purely based on its 'unknown' factor.
Lastly, based on organizational alignment and delivery, two-thirds of respondents report that they have an IS function, but more than a quarter of them say that this function is not incorporated into the organization's overall security risk management processes.
In addition, a large percentage of the overall IS budget is spent on routine operations, something that could easily either be outsourced or automated.
The key to putting together and executing an IS strategy, Nel says, is based on standards, and not doing it alone. "Organizations need to do the right things right. We often find that businesses will do the wrong thing extremely well, however, and they generally tend to be putting out fires, instead of focusing on proactive protection."
With regards to standards adoption, ITIL and ISO 17799 are the widest adopted standards, while Cobit has a surprisingly low rate of adoption.
So what should be on an organization's IS agenda going forward? The main point is to leverage compliance efforts to establish a solid IS strategy.
Increasing the value of third party and vendor relationships is also critical, as is the need to standardize security operations.