Retail is lagging behind other sectors in the maturity of its information security function, despite high awareness about data protection issues among IT leaders, according to the latest report from consultancy Deloitte released today.

The Taking Stock: Consumer Business Security Survey surveyed IT leaders and chief security officers from consumer goods and retail firms and found 73 per cent rated "unauthorised access to personal information" as the top privacy and reputational concern.

But despite this, only 20 percent of respondents said they have a formally defined information security strategy, compared to the 54 per cent reported in Deloitte's 2007 Technology Media & Telecommunications Security Survey and 63 per cent reported in Deloitte's 2007 Global Financial Services Security Survey.

Only 13 per cent of consumer businesses said they had performed an inventory of personal and cardholder data. In addition, 40 per cent of respondents said they had had written privacy, fair information practices or data collection policies in place and only 13 per cent have a programme for managing privacy compliance.

However, many firms are still in the delivery phase of their Payment Card Industry (PCI) standard implementations, which might account for the lack of formal security policies to protect data, according to Deloitte's consumer business partner, Andy Morris.

"Overall I think it's fair to say there's a long way to go in terms of the maturity of security in the industry," he added. "But some drivers like PCI are encouraging organisations to change and improve and in 12 months things will look a lot more positive."

However, Morris expressed surprise over the lack of security due diligence consumer businesses seem to show before taking on an outsourcing contract. Only 36 per cent said they conduct an independent review of vendors before engaging them, according to the research.