Security Programs Focusing Too Much on Compliance, Study Finds

Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found.

A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection.

"Despite the increasing mandates enterprises face, custodial data assets aren’t the most valuable assets in enterprise information portfolios. Proprietary knowledge and company secrets, by contrast, are twice as valuable as the custodial data. And as recent company attacks illustrate, secrets are targets for theft. Compliance, not security, drives security budgets. Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each. But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance," the Forrester analysts found.

The study surveyed 300 senior IT personnel. It found that about 41 percent of security budgets are directed toward non-compliance activities, and about 39 percent go directly to compliance initiatives.

Forrester's research also found that although data breaches and accidental losses of sensitive information get most of the headlines, intentional theft of corporate data causes 10 times more financial loss. Interestingly, the study also found that regardless of the number and severity of these kinds of incidents that a company has endured, the IT staff is still likely to think that its security controls are working well.

"Even enterprises with a high number of incidents are still likely to imagine that their programs are 'very effective.' We concluded that most enterprises do not actually know whether their data security programs work or not," the study found.

Commenting on this Article is closed.