Organizations are leaving their corporate secrets unprotected as a result of out-of-balance budgets that too strongly prioritize compliance over risk mitigation.
Results out this week from a new survey of IT security decision-makers show that even though enterprises may be improving their compliance efforts, organizations are leaving their corporate secrets unprotected as a result of out-of-balance budgets that too strongly prioritize compliance over risk mitigation.
Conducted by Forrester Consulting on behalf of Microsoft and RSA, The Security Division of EMC, the survey queried 305 IT leaders around the globe. It showed that 90 percent of these leaders believe that with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs, spending on average about 39 percent of their budgets on compliance-related data security programs.
However, when the survey examined the make-up of enterprise information portfolios, it showed that organizations are misplacing some of their priorities. Though the primary driver is pushing for protection of the "custodial data" covered by compliance--things like customers' and employees' personally identifiable information--this data only makes up 38 percent of the typical information portfolio. Corporate secrets--business critical IP--comprises about 62 percent.
"This strongly suggests that investments are overweighed toward compliance," Forrester concluded in the survey.
According to Sam Curry, marketing CTO for RSA, even though companies should still be spending money on protection of customer, medical and payment card information, they need to shift some focus to intellectual property and data that means something to actual business operations.
"If IP is lost, it can cause long term competitive harm to an organization. The recent and highly-sophisticated attacks targeting intellectual property of large multinational companies are examples of this type of loss," Curry said.
The survey found that not only is there an imbalance in which information is protected, but also in what types of loss are prepared for. Survey respondents showed that the bulk of organizations primarily focus on data security incidents relate to accidental loss. But at the same time, respondents showed that employee theft of sensitive information is 10 times costlier than accidental loss on a per-incident basis, often the difference between tens of thousands of dollars and hundreds of thousands of dollars.
Perhaps one of the reasons that organizations are failing to properly prioritize is because they're still failing to measure the effectiveness of their security programs, Forrester concluded.
Despite a wide range in security spending, views on the value of information and the number of security incidents reported among the respondents, nearly every company surveyed rated its security controls to be equally effective.
"Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting," the study read. "'Compliance' in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure."
about 9 hours agoAssessing the Impact of HP Layoffs - HP needs channel partners to help put some distance between it all the drama ... http://t.co/2H0Gq8HJ
about 11 hours agoThin Client Opportunity Gets Richer for the Channel - IT organizations are rethinking client strategy in the age of ... http://t.co/JxUbh24m
May 23rd 4:38 PMPutting a Channel Face on the Cloud - Amazon, Google and others may leverage the channel to compete more aggressivel... http://t.co/RUeo9iT5
May 22nd 10:41 PMExpanding the Reach and Scope of Desktop Virtualization - VMware moves to acquire Wanova - VMware has set out to ... http://t.co/Ad020fhT
May 22nd 8:58 PMConsidering the IBM Watson Possibilities - IBM looks to the channel to help find new use cases for cognitive computi... http://t.co/CAljVbac
May 22nd 8:54 AMVariations on a Cloud Storage Theme in the Channel - EMC expands focus on the cloud via a channel that is wrestling ... http://t.co/MORSpkkb
May 21st 10:43 AMRightsizing the Cloud Service Provider - Cloudbursting will alter the way the channel thinks about cloud computing i... http://t.co/eZ33qdKE
May 17th 6:39 PMThe Future of IT Services - Automated managed services are transforming the way IT services are delivered - Histo... http://t.co/w4zvAS8u
May 17th 12:39 PMRising to the Cloud Application Management Challenge - BetterCloud previews management tool for Google Apps environm... http://t.co/KzhO7FlP
May 16th 11:00 AMPlaying the IT Services Name Game - HP expands ability of partners to deliver branded services as part of effort to ... http://t.co/XU3QOnKz
Start the New Year with business intelligence—it’s a smart move
Join us on February 1 for an encore rebroadcast at either 5 am or 12 noon EST and discover how business intelligence (BI) supports companies in uncertain business and economic climates. Get expert advice on how to create a strategy that fits your organization's needs and budget and see how quickly it can pay for itself. Click Here
