Last December, IT Business Edge blogger Mike Vizard wrote about security delusions in compliance, stating:
All too often, there is a tendency to measure security in terms of compliance. Unfortunately, the definition of compliance with any particular regulation usually comes down to meeting the bare minimum requirements. The end result is that while thousands of organizations can meet compliance requirements, very few of them are actually secure.
Last month, Forrester Research released a paper commissioned by Microsoft and RSA that found that the majority of companies focus their security programs on compliance issues, even though corporate intellectual property comprises, on average, nearly two-thirds of any given company's assets. According to the paper:
Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each. But secrets comprise 62% of the overall information portfolio's total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.
Forrester's research also found that although data breaches and accidental losses of sensitive information get most of the headlines, intentional theft of corporate data causes 10 times more financial loss. Interestingly, the study also found that regardless of the number and severity of these kinds of incidents that a company has endured, the IT staff is still likely to think that its security controls are working well.
Obviously, compliance laws are important to protecting consumer privacy and promoting security. But I have had many conversations over the past couple of years with people in the security business who lament the inconsistency within enterprises of protecting the business side of things, including little things like restricting employee access to certain data and immediately shutting down accounts of anyone who leaves the company. Perhaps the Forrester report will be a good catalyst for better security for intellectual properties and data.