Study Shows IT Security Holds The Key To Compliance
Automating IT security functions, not consultants or services, along with frequent auditing of data security, improves compliance, an IT Policy Compliance Group study shows. Organizations most successful in meeting compliance demands are spending $1 on IT security for every $30,000 in revenue, assets under management, or agency budget.
Companies most likely to successfully navigate today's regulatory environment need to automate IT security functions rather than blow their budgets on pricey consultants or services, and they need to do more frequent auditing of the systems and data security. So says the IT Policy Compliance Group Monday in its latest report on the relationship between regulatory compliance and IT security spending.
The group, formed last year by the Computer Security Institute, the Institute of Internal Auditors, and Symantec and formerly known as the Security Compliance Counsel, began its study assuming that larger organizations had more resources to throw at any given compliance project. While this is true, they were surprised to learn that larger organizations don't necessarily perform better than their smaller counterparts when it comes to actually achieving compliance, says Jim Hurley, managing director of the IT Policy Compliance Group and a director of research for Symantec. "It's not a matter of resources, it's what you do with them," he adds.
The IT Policy Compliance Group's study, which surveyed the spending patterns of 876 organizations, found that those most successful in meeting compliance demands are spending $1 on IT security for every $30,000 in revenue, assets under management, or agency budget, depending upon the type of organization. Those lagging behind in terms of compliance are spending $1 on IT security for every $90,000.
Only about 11% of the organizations surveyed reported that they've suffered fewer than three compliance problems in the past year. Nearly 70% experience between three and 15 IT compliance problems annually, while the rest had to correct as many as hundreds of IT compliance deficiencies in a single year, a situation that can lead to fines as well as the siphoning of resources from other important IT projects.
Hurley says a good rule of thumb for compliance spending is to allocate more than 10% of the overall IT budget on security systems, including configuration change management systems, as well as auditing, monitoring, and reporting tools. Other helpful investments include software for managing IT security policies, standards, controls, and documentation. Another key to successful compliance, the group found, is regular auditing. Those that audited the security of their systems monthly were far more successful at achieving compliance than those who audited only once annually.
Hand in hand with this was the observation that organizations are better served spending their security dollars on hardware and software such as configuration and change management applications, antivirus, user-access control systems, and reporting tools, which facilitate more frequent audits, rather than spending the money to hire more contractors and outside services. Organizations with the fewest compliance problems are spending 9% more to automate audit functions and 11% less on contractors and outside services.
IT leadership also is an important ingredient in achieving and maintaining compliance. "At the board level, executives want to know their level of risk related to compliance, so [chief information security officers], chief privacy officers, and chief risk officers have to be able to connect spending on IT security with meeting the demands of various regulations," says Rocco Grillo, director of the security practice at risk-assessment firm Protiviti, which Monday officially joined the IT Policy Compliance Group.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.