How companies are prioritizing infosec and compliance
New research conducted by Enterprise Management Associates (EMA), examines the impact of the compliance budget on security strategy and priorities. It describes areas for which companies prioritize information security and compliance, which leaders control information security spending, how compliance has shifted the overall security strategy of the organization, and the solutions and tools on which organizations are focusing their technology spending.
The findings cover three critical areas of an organization’s security and compliance posture: information security and IT audit and compliance, data security and data privacy, and security and compliance spending.
One key takeaway is that merging security and compliance priorities addresses regulatory control gaps while improving the organization’s security posture. Respondents revealed insights on how they handle compliance, who is responsible for compliance and security responsibilities, and what compliance-related security challenges organizations face.
“This study confirmed our long-standing theory that when security and compliance have a unified strategy and vision, every department and employee within the organization benefits, as does the business customer,” said Christopher M. Steffen, managing research director of EMA. Most organizations view compliance and compliance-related activities as “the cost of business,” something they have to do to conduct operations in certain markets. Increasingly, forward-thinking organizations are looking for ways to maximize their competitive advantage in their markets and having a best-in-class data privacy program or compliance program is something that more savvy customers are interested in, especially in organizations with a global reach. Compliance is no longer a “table stakes” proposition: comprehensive compliance programs focused on data security and privacy can be the difference in very tight markets and are often a deciding factor for organizations choosing one vendor over another.”
- Companies found the need to shift their information security strategy to address compliance priorities (93%).
- Information security and IT compliance priorities are generally aligned (89%).
- Existing security tools have to address data privacy considerations going forward (76%).
- Managing an organization’s multiple IT environments and the controls that govern those environments is the greatest challenge in the IT audit and compliance space (39%).
Data security and privacy
Data security and privacy are central to information security and regulatory compliance. According to the study, data privacy regulations, such as the EU’s General Data Protection Regulation or the California Consumer Privacy Act, are primary considerations for business and technology leaders. In the absence of a national privacy referendum, five states have already established individual privacy laws. Other results include:
- Organizations believe that the implementation of a significant data privacy program is a competitive differentiator (75%).
- Organizations use or are looking to use a regulatory compliance program as a competitive differentiator (68%).
- Respondents are looking for tools to address data privacy controls (75%).
- Companies are altering their organizations’ approaches to information security to address data privacy regulations (59%).
- Companies take a data classification or security-centric approach to data privacy (54%).
- Data security — and the tools and data encryption — is their most significant security challenge (38%).
Security and compliance spending
Given the growing concern over maintaining compliance, it is no surprise that the study found that companies are investing significantly in data security and privacy tools and are spending the least on point solutions. Additionally, the chief information officer (CIO) is most likely responsible for the security and IT compliance investments budget. The CISO (for security) and the chief compliance officer (for compliance) significantly influence their respective budgets. Further insights include:
- Companies are currently or will be making a significant investment in data privacy and data loss prevention (98%).
- Respondents increased IT, information security, and IT compliance investments over previous years (75%).
- Most information security budgets range between $50,000 and $5 million in information security (61%) and are approximately the same for IT audit and compliance (58.8%).
- Future budgets are increasing moderately or slightly for information security and security consulting (74%) and IT audit and compliance (66%).
“Data responsibility is a competitive advantage. As this research with EMA reveals, companies realize that it is critical to align security and compliance resources,” said Ameesh Divatia, CEO of Baffle. “It is gratifying to learn that IT practitioners are taking compliance very seriously, and this mindset is shaping their security strategy and investments. The environment is ideal for innovation as these practitioners evaluate tools that improve their security posture to comply with data privacy regulations. And with data privacy regulations moving compliance in lockstep with security, work done now to manage the complexity of compliance will only benefit an organization and its business customers in the long term.”