Study Shows IT Security Holds The Key To Compliance
Automating IT security functions, not consultants or services, along with frequent auditing of data security, improves compliance, an IT Policy Compliance Group study shows. Organizations most successful in meeting compliance demands are spending $1 on IT security for every $30,000 in revenue, assets under management, or agency budget.
Companies most likely to successfully navigate today's regulatory environment need to automate IT security functions rather than blow their budgets on pricey consultants or services, and they need to do more frequent auditing of the systems and data security. So says the IT Policy Compliance Group Monday in its latest report on the relationship between regulatory compliance and IT security spending.
The group, formed last year by the Computer Security Institute, the Institute of Internal Auditors, and Symantec and formerly known as the Security Compliance Counsel, began its study assuming that larger organizations had more resources to throw at any given compliance project. While this is true, they were surprised to learn that larger organizations don't necessarily perform better than their smaller counterparts when it comes to actually achieving compliance, says Jim Hurley, managing director of the IT Policy Compliance Group and a director of research for Symantec. "It's not a matter of resources, it's what you do with them," he adds.
The IT Policy Compliance Group's study, which surveyed the spending patterns of 876 organizations, found that those most successful in meeting compliance demands are spending $1 on IT security for every $30,000 in revenue, assets under management, or agency budget, depending upon the type of organization. Those lagging behind in terms of compliance are spending $1 on IT security for every $90,000.
Only about 11% of the organizations surveyed reported that they've suffered fewer than three compliance problems in the past year. Nearly 70% experience between three and 15 IT compliance problems annually, while the rest had to correct as many as hundreds of IT compliance deficiencies in a single year, a situation that can lead to fines as well as the siphoning of resources from other important IT projects.
Hurley says a good rule of thumb for compliance spending is to allocate more than 10% of the overall IT budget on security systems, including configuration change management systems, as well as auditing, monitoring, and reporting tools. Other helpful investments include software for managing IT security policies, standards, controls, and documentation. Another key to successful compliance, the group found, is regular auditing. Those that audited the security of their systems monthly were far more successful at achieving compliance than those who audited only once annually.
Hand in hand with this was the observation that organizations are better served spending their security dollars on hardware and software such as configuration and change management applications, antivirus, user-access control systems, and reporting tools, which facilitate more frequent audits, rather than spending the money to hire more contractors and outside services. Organizations with the fewest compliance problems are spending 9% more to automate audit functions and 11% less on contractors and outside services.
IT leadership also is an important ingredient in achieving and maintaining compliance. "At the board level, executives want to know their level of risk related to compliance, so [chief information security officers], chief privacy officers, and chief risk officers have to be able to connect spending on IT security with meeting the demands of various regulations," says Rocco Grillo, director of the security practice at risk-assessment firm Protiviti, which Monday officially joined the IT Policy Compliance Group.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?