Study Shows IT Security Holds The Key To Compliance

Study Shows IT Security Holds The Key To Compliance
Study Shows IT Security Holds The Key To Compliance 

By Larry Greenemeier
Dec 4, 2006

Companies most likely to successfully navigate today's regulatory 
environment need to automate IT security functions rather than blow 
their budgets on pricey consultants or services, and they need to do 
more frequent auditing of the systems and data security. So says the IT 
Policy Compliance Group Monday in its latest report on the relationship 
between regulatory compliance and IT security spending.

The group, formed last year by the Computer Security Institute, the 
Institute of Internal Auditors, and Symantec and formerly known as the 
Security Compliance Counsel, began its study assuming that larger 
organizations had more resources to throw at any given compliance 
project. While this is true, they were surprised to learn that larger 
organizations don't necessarily perform better than their smaller 
counterparts when it comes to actually achieving compliance, says Jim 
Hurley, managing director of the IT Policy Compliance Group and a 
director of research for Symantec. "It's not a matter of resources, it's 
what you do with them," he adds.

Nothing has driven spending on IT security products and services over 
the past few years more than the need to comply with a flurry of new 
regulations flowing out of Washington, including the Health Information 
Portability and Accountability Act, Sarbanes-Oxley, and 
Gramm-Leach-Bliley. Last week saw the debut of the newly amended Federal 
Rules of Civil Procedure, which force companies to better manage 
electronically stored information that can be used as evidence in civil 
court cases. There have been 114,000 new regulations introduced in North 
America alone since 1981, Adam Losner, VP of finance for the Securities 
Industry Automation Corp., said at a September IT Policy Compliance 
Group meeting at the Interop show in New York. Next year, expect a 
federal data breach notification law to be added to the list.

The IT Policy Compliance Group's study, which surveyed the spending 
patterns of 876 organizations, found that those most successful in 
meeting compliance demands are spending $1 on IT security for every 
$30,000 in revenue, assets under management, or agency budget, depending 
upon the type of organization. Those lagging behind in terms of 
compliance are spending $1 on IT security for every $90,000.

Only about 11% of the organizations surveyed reported that they've 
suffered fewer than three compliance problems in the past year. Nearly 
70% experience between three and 15 IT compliance problems annually, 
while the rest had to correct as many as hundreds of IT compliance 
deficiencies in a single year, a situation that can lead to fines as 
well as the siphoning of resources from other important IT projects.

Hurley says a good rule of thumb for compliance spending is to allocate 
more than 10% of the overall IT budget on security systems, including 
configuration change management systems, as well as auditing, 
monitoring, and reporting tools. Other helpful investments include 
software for managing IT security policies, standards, controls, and 
documentation. Another key to successful compliance, the group found, is 
regular auditing. Those that audited the security of their systems 
monthly were far more successful at achieving compliance than those who 
audited only once annually.

Hand in hand with this was the observation that organizations are better 
served spending their security dollars on hardware and software such as 
configuration and change management applications, antivirus, user-access 
control systems, and reporting tools, which facilitate more frequent 
audits, rather than spending the money to hire more contractors and 
outside services. Organizations with the fewest compliance problems are 
spending 9% more to automate audit functions and 11% less on contractors 
and outside services.

IT leadership also is an important ingredient in achieving and 
maintaining compliance. "At the board level, executives want to know 
their level of risk related to compliance, so [chief information 
security officers], chief privacy officers, and chief risk officers have 
to be able to connect spending on IT security with meeting the demands 
of various regulations," says Rocco Grillo, director of the security 
practice at risk-assessment firm Protiviti, which Monday officially 
joined the IT Policy Compliance Group.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods