Many firms may be ignoring weaknesses in their IT as they concentrate spending and resources on systems to comply with regulations, according to a report issued by the Information Security Forum (ISF).

Many of the forum's 260 international blue-chip members said they expect to spend more than $10m each on information security controls to comply with the US Sarbanes-Oxley (SOX) Act for corporate governance. But the emphasis on security for compliance may leave gaps elsewhere, according to ISF consultant Andy Jones.

"SOX is there to be complied with, but we prefer our members to take a risk-based approach [to information security]," he added. "Otherwise, something key to the business may be missed out, like disaster recovery or business continuity."

However, Andrew Kellett of analyst firm Butler Group said the requirements of legislation such as SOX could encourage firms to view security in a wider context. "They need to protect the organisation but also fulfil [regulatory] requirements - the important thing is getting the balance right," he added.

Meanwhile, security vendor RSA last week unveiled a tool to help firms develop compliant security systems more quickly  and generate information for senior executives. 

The RSA Compliance Scorecard covers 40 core regulations. It is based on a framework of 65 best practices, which the company drew up after analysing security management standards such as Cobit and talking to analyst firms.

Jeff Loeb, director of product marketing for RSA, said the scorecard system helps firms select relevant business objectives, such as to protect against identity theft or intellectual property breaches, and then identifies the appropriate best practices. It also offers advice on the technology necessary to implement the guidance.