Study Shows IT Security Holds The Key To Compliance

Companies most likely to successfully navigate today's regulatory environment need to automate IT security functions rather than blow their budgets on pricey consultants or services, and they need to do more frequent auditing of the systems and data security. So says the IT Policy Compliance Group Monday in its latest report on the relationship between regulatory compliance and IT security spending.

The group, formed last year by the Computer Security Institute, the Institute of Internal Auditors, and Symantec and formerly known as the Security Compliance Counsel, began its study assuming that larger organizations had more resources to throw at any given compliance project. While this is true, they were surprised to learn that larger organizations don't necessarily perform better than their smaller counterparts when it comes to actually achieving compliance, says Jim Hurley, managing director of the IT Policy Compliance Group and a director of research for Symantec. "It's not a matter of resources, it's what you do with them," he adds.

Nothing has driven spending on IT security products and services over the past few years more than the need to comply with a flurry of new regulations flowing out of Washington, including the Health Information Portability and Accountability Act, Sarbanes-Oxley, and Gramm-Leach-Bliley. Last week saw the debut of the newly amended Federal Rules of Civil Procedure, which force companies to better manage electronically stored information that can be used as evidence in civil court cases. There have been 114,000 new regulations introduced in North America alone since 1981, Adam Losner, VP of finance for the Securities Industry Automation Corp., said at a September IT Policy Compliance Group meeting at the Interop show in New York. Next year, expect a federal data breach notification law to be added to the list.

The IT Policy Compliance Group's study, which surveyed the spending patterns of 876 organizations, found that those most successful in meeting compliance demands are spending $1 on IT security for every $30,000 in revenue, assets under management, or agency budget, depending upon the type of organization. Those lagging behind in terms of compliance are spending $1 on IT security for every $90,000.

Only about 11% of the organizations surveyed reported that they've suffered fewer than three compliance problems in the past year. Nearly 70% experience between three and 15 IT compliance problems annually, while the rest had to correct as many as hundreds of IT compliance deficiencies in a single year, a situation that can lead to fines as well as the siphoning of resources from other important IT projects.

Hurley says a good rule of thumb for compliance spending is to allocate more than 10% of the overall IT budget on security systems, including configuration change management systems, as well as auditing, monitoring, and reporting tools. Other helpful investments include software for managing IT security policies, standards, controls, and documentation. Another key to successful compliance, the group found, is regular auditing. Those that audited the security of their systems monthly were far more successful at achieving compliance than those who audited only once annually.

Hand in hand with this was the observation that organizations are better served spending their security dollars on hardware and software such as configuration and change management applications, antivirus, user-access control systems, and reporting tools, which facilitate more frequent audits, rather than spending the money to hire more contractors and outside services. Organizations with the fewest compliance problems are spending 9% more to automate audit functions and 11% less on contractors and outside services.

IT leadership also is an important ingredient in achieving and maintaining compliance. "At the board level, executives want to know their level of risk related to compliance, so [chief information security officers], chief privacy officers, and chief risk officers have to be able to connect spending on IT security with meeting the demands of various regulations," says Rocco Grillo, director of the security practice at risk-assessment firm Protiviti, which Monday officially joined the IT Policy Compliance Group.