Corporate governance and compliance remain the major concerns for chief information security officers (CISOs), despite the proliferation of other security themes that have dominated the headlines in recent months.

Speaking exclusively to IT Week ahead of this week's Microsoft CISO Council, Mike Grenham, BA's information security manager, argued that while data breach incidents have been in the public eye recently and are treated seriously, "from our perspective one of the biggest challenges is compliance with things like PCI and SOX".

But while compliance programmes can be perceived negatively by the business, they benefit the security function by providing CISOs with an opportunity to " get stuff done" and deliver an improved security capability, he added.

Indeed, many organisations would benefit from a more proactive approach to compliance, said Marc Rogers, performance and security manager at Vodafone. He argued that many firms still adopt a tick box approach, rather than a more strategic one which involves working within a consistent framework.

"I've seen organisations where SOX is dropped on the floor then they move on too the next audit du jour," he explained. "It should be an ongoing process."

Outsourcing was also highlighted as a major cause of security risk. Orhan Moye, information security risk manager at law firm Linklaters, argued that data protection concerns are heightened when third parties process company information.

Vodafone's Rogers added that when functions are outsourced to countries with extreme poverty, the risk can increase. "When the staff are earning a fraction of the customer account they're processing, you need to ensure the security controls are appropriate to the level of risk," he argued.