Just over half of UK companies have not implemented the necessary processes and procedures to comply with legislative directives such as PCI DSS and Mifid, according to a new survey commissioned by security system developers NetIQ.

The survey also shows a high degree of scepticism among IT staff concerning the commitment to IT security at board level, with 40 per cent of respondents saying that the board were merely paying lip-service to IT security to gain compliance status.

"This reinforces the need for the CSO to be not only a technologist but also a good communicator, who is able to interact with people outside the IT department. We see many misconceptions about the importance of risk management in the marketplace," said Ulrich Weigel, director of security products for NetIQ.

"It is imperative that they are able to communicate at senior board level that security is no longer just a cost item on the P&L, but that it can actually differentiate them from their competitors and win them new business."

The results reveal a lack of readiness of companies to meet compliance goals despite being their most critical security issue ahead of business continuity, data leakage and protection against viruses and spyware.

The survey was conducted by EMedia and questioned 218 security and IT managers about their company's readiness and views on compliance and risk management.

Other survey findings pointed to a lack of co-ordination between the IT department and the rest of the business, as 29 per cent of IT security managers felt that their company's security policies were sufficiently integrated with the rest of their business objectives.

Furthermore, 57 per cent of them felt that internal staff didn't understand the legislation that affected their business.

These findings confirm similar results from a report titled What's Top Of Mind For European Security Managers? by analyst firm Forrester Research.

"CSOs/CISOs have traditionally been IT people focused on technology, but the job is shifting to focus more on business risk management," said Thomas Raschke, an analyst at Forrester Research.

"We are currently in a time of transition, one that can make CISOs with less business-side experience acutely uncomfortable. In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business."