At the same time, the survey said, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.

"The sheer number of regulations and the consequences of not complying have brought information security into the boardroom," the report said. "Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business."

In Ernst & Young's survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.

The results are surprising, given that 2005 has been an especially busy year for worms and viruses, said Rudy Bakalov, senior manager of security and technology solutions at Ernst & Young. "We are very happy that compliance with regulations has become such a high priority," Bakalov said. Even so, most information security organizations are continuing to focus on tactical issues rather than strategic ones, he said.

For example, nearly 90 percent of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns, he said. Only 41 percent are also reorganizing their information security function and their architectures as part of the compliance process, he said.