Boardroom backing of security policies is the most important element in effectively securing an organisation's information, according to research published this week.

The Global Information Security Workforce Study 2006 conducted by analyst IDC for the International Information Systems Security Certification Consortium (ISC²), says the second most important factor is getting users to follow a policy.

Ed Zeitler, executive director, ISC² speaking at the RSA Conference Europe this week, says there is now a universal focus on people being more important than technology to provide security.

'Security breaches that have made headlines during the past year have been a result of human error, and this further validates the long-held conventional wisdom of information security professionals that people are the critical component of an effective information security program,' said Zeitler.

The research also found that security is becoming a boardroom issue. When asked who was accountable for security in 2004, 38 per cent of respondents said the chief information officer. In 2006 that figure dropped to 19 per cent.

In 2004 12 per cent of respondents said the chief executive officer was responsible for security, while in 2006 that figure has risen to 25 per cent.

'Regulatory compliance in the public and private sector with things like Sarbanes-Oxley and Basel II puts information security into the risk profile of a bank, so responsibility for these kind of things goes much higher,' said Zeitler. ' The information security profession is being valued as an indispensable business component.'

Allan Carey, program manager at IDC, who led the study, says security professionals are helping CEOs recognise the positive contributions to business of information security.

'The message of people and processes being absolutely crucial to effective information security is finally starting to resonate with business leaders,' he said.

What do you think? Email us at: feedback@computing.co.uk