Baffle
released a report titled "Using Compliance Budget to Advance Security
Priorities," which details insights and trends related to compliance, security
and privacy. The survey polled more than 200 technology leaders from mid-to
large-size organizations across North America, representing more than 10
industry verticals.
The
Baffle-sponsored research, conducted by analyst firm Enterprise Management
Associates (EMA), examines the impact of the compliance budget on security
strategy and priorities. It describes areas for which companies prioritize
information security and compliance, which leaders control information security
spending, how compliance has shifted the overall security strategy of the
organization, and the solutions and tools on which organizations are focusing
their technology spending.
"This
study confirmed our long-standing theory that when security and compliance have
a unified strategy and vision, every department and employee within the
organization benefits, as does the business customer," said Christopher M.
Steffen, CISSP, CISA, managing research director of EMA. Most organizations
view compliance and compliance-related activities as "the cost of business,"
something they have to do to conduct operations in certain markets.
Increasingly, forward-thinking organizations are looking for ways to maximize their
competitive advantage in their markets and having a best-in-class data privacy
program or compliance program is something that more savvy customers are
interested in, especially in organizations with a global reach. Compliance is
no longer a "table stakes" proposition: comprehensive compliance programs
focused on data security and privacy can be the difference in very tight
markets and are often a deciding factor for organizations choosing one vendor
over another."
The
findings cover three critical areas of an organization's security and
compliance posture: information security and IT audit and compliance, data
security and data privacy, and security and compliance spending. Here are the
top insights from each.
Information
Security and IT Audit/Compliance Trends
One key
takeaway is that merging security and compliance priorities addresses
regulatory control gaps while improving the organization's security posture.
Respondents revealed insights on how they handle compliance, who is responsible
for compliance and security responsibilities, and what compliance-related
security challenges organizations face. Additional findings:
- Companies
found the need to shift their information security strategy to address
compliance priorities (93%).
- Information
security and IT compliance priorities are generally aligned (89%).
- Existing
security tools have to address data privacy considerations going forward
(76%)
- Managing
an organization's multiple IT environments and the controls that govern
those environments is the greatest challenge in the IT audit and
compliance space (39%)
Data
Security and Data Privacy
Data
security and privacy are central to information security and regulatory
compliance. According to the study, data privacy regulations, such as the EU's
General Data Protection Regulation or the California Consumer Privacy Act, are
primary considerations for business and technology leaders. In the absence of a
national privacy referendum, five states have already established individual
privacy laws. Other results include:
- Organizations
believe that the implementation of a significant data privacy program is a
competitive differentiator (75%)
- Organizations
use or are looking to use a regulatory compliance program as a competitive
differentiator (68%)
- Respondents
are looking for tools to address data privacy controls (75%).
- Companies
are altering their organizations' approaches to information security to
address data privacy regulations (59%).
- Companies
take a data classification or security-centric approach to data privacy
(54%).
- Data security - and the tools and data
encryption - is their most significant security challenge (38%).
Security
and Compliance Spending
Given
the growing concern over maintaining compliance, it is no surprise that the
study found that companies are investing significantly in data security and
privacy tools and are spending the least on point solutions. Additionally, the
chief information officer (CIO) is most likely responsible for the security and
IT compliance investments budget. The CISO (for security) and the chief
compliance officer (for compliance) significantly influence their respective
budgets. Further insights include:
- Companies
are currently or will be making a significant investment in data privacy
and data loss prevention (98%).
- Respondents
increased IT, information security, and IT compliance investments over
previous years (75%).
- Most
information security budgets range between $50,000 and $5 million in
information security (61%) and are approximately the same for IT audit and
compliance (58.8%).
- Future
budgets are increasing moderately or slightly for information security and
security consulting (74%) and IT audit and compliance (66%).
"Data
responsibility is a competitive advantage. As this research with EMA reveals,
companies realize that it is critical to align security and compliance
resources," said Ameesh Divatia, co-founder and CEO of Baffle. "It is
gratifying to learn that IT practitioners are taking compliance very seriously,
and this mindset is shaping their security strategy and investments. The
environment is ideal for innovation as these practitioners evaluate tools that
improve their security posture to comply with data privacy regulations. And
with data privacy regulations moving compliance in lockstep with security, work
done now to manage the complexity of compliance will only benefit an
organization and its business customers in the long term."