Enterprises Spend Too Much on Compliance

Results out this week from a new survey of IT security decision-makers show that even though enterprises may be improving their compliance efforts, organizations are leaving their corporate secrets unprotected as a result of out-of-balance budgets that too strongly prioritize compliance over risk mitigation.

Conducted by Forrester Consulting on behalf of Microsoft and RSA, The Security Division of EMC, the survey queried 305 IT leaders around the globe. It showed that 90 percent of these leaders believe that with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs, spending on average about 39 percent of their budgets on compliance-related data security programs.

However, when the survey examined the make-up of enterprise information portfolios, it showed that organizations are misplacing some of their priorities. Though the primary driver is pushing for protection of the "custodial data" covered by compliance–things like customers’ and employees’ personally identifiable information–this data only makes up 38 percent of the typical information portfolio. Corporate secrets–business critical IP–comprises about 62 percent.

"This strongly suggests that investments are overweighed toward compliance," Forrester concluded in the survey.

According to Sam Curry, marketing CTO for RSA, even though companies should still be spending money on protection of customer, medical and payment card information, they need to shift some focus to intellectual property and data that means something to actual business operations.

"If IP is lost, it can cause long term competitive harm to an organization. The recent and highly-sophisticated attacks targeting intellectual property of large multinational companies are examples of this type of loss," Curry said.

The survey found that not only is there an imbalance in which information is protected, but also in what types of loss are prepared for. Survey respondents showed that the bulk of organizations primarily focus on data security incidents relate to accidental loss. But at the same time, respondents showed that employee theft of sensitive information is 10 times costlier than accidental loss on a per-incident basis, often the difference between tens of thousands of dollars and hundreds of thousands of dollars.

Perhaps one of the reasons that organizations are failing to properly prioritize is because they’re still failing to measure the effectiveness of their security programs, Forrester concluded.

Despite a wide range in security spending, views on the value of information and the number of security incidents reported among the respondents, nearly every company surveyed rated its security controls to be equally effective.

"Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting," the study read. "’Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure."