Concern about IT security is rising but system security levels within the enterprise is actually falling.
Steve Bittinger, Gartner research director, said while mainframes may be at the 'due care' level, the proliferation of newer technologies is lowering the overall security of a company's IT systems.
"Security is not an overwhelming challenge [but] as new technologies come along each new requires time to develop good security."
Bittinger also attributes rising security, and increasingly Privacy Legislation concerns, to a lack of proper due diligence in the area.
He said before companies implement security hardware and software, a firm foundation of policies and governance must be in place.
"Next, the architecture should include, for example, authentication processes. We haven't dealt with security on an architecture level yet.
"Security demands also affect an organisation's structure. In leading-edge companies, a chief information security officer (CISO) reports to the CEO and acts independently to a CIO."
This CIO should look after non-IT issues such as organisational cultural issues to imbed security and privacy practices into the business' process.
Simon Roller, security practice principal at Compaq agrees.
"If privacy and security is not given to someone [specific], it will default to IT.
Roller said the challenge for security is that the cost of implementing measures is quite high. However, should a virus be found within a company on say 300 computers, repair and data recovery costs would be about $300,000."