In-Depth

Q&A: How Security Budgets Determine Compliance Success

New study highlights commonalities between companies with the fewest IT compliance deficiencies.

• By Mathew Schwartz
• 08/15/2006

Are you complying with regulations as efficiently as possible?

Today, 60 percent of all organizations must meet data privacy and protection regulations, yet only 11 percent of them achieve “stellar performance results.”

Companies with the fewest regulatory deficiencies have three things in common: they monitor and report on security and compliance at least monthly, collectively devote at least 30 percent of IT’s time to compliance, and spend at least 10 percent of their IT budget on security.

Those findings come from a survey of 617 organizations from around the world conducted by the Security Compliance Council, comprised of Symantec Corp., the Institute of Internal Auditors, and the Computer Security Institute. To discuss the results, we talk to Jim Hurley, executive vice president of research for the Security Compliance Council and a senior director at Symantec.

Is the leading regulatory driver today Sarbanes-Oxley, or data privacy and protection regulations?

About a year or a year and a half ago it was [all about] Sarbanes-Oxley, and it was in the range of 55-65 percent of companies [needing to comply]. … [But] in a one-year timeframe, it slipped. Sarbanes-Oxley is now at the 43-44 percent range, and data privacy and protection is way up.

When I started seeing this, I began making calls to see what was going on … and anecdotally … people were telling me the problem wasn’t that they had a customer-data problem, but that they have so many of them because they operate in so many countries, and the rules are so different.

That’s particularly true in Europe, where the rules are different in every country—even though they’re all part of the EU. There are the differences between opt-in and opt-out. … They had to go back and [reconcile those all] regulations, and that didn’t even get into the issue of sensitive corporate data that they didn’t want to let out.

Are CIOs having a difficult time balancing regulatory requirements with all of their other duties?

I’ll never forget getting on the phone with a CIO in the retail industry—a company with a lot of locations—and asking him where he spent all his time. He said, “On data litigations and law summonses, and I got tired of it because I couldn’t handle the business side of [the job]. So I hired a guy who’s only responsible for the law side of it.”

Well, that guy said he spent 80 percent of his time with legal council and finance, and he hadn’t talked to the CIO since he was hired. … His job was to focus on data privacy and due diligence for law-firm searches of records. So some firm would sue—whether class action or class lawsuit—and that company or lawyer would call and say we need direct access to your records. …

For the survey, how did you gauge companies’ compliance-related deficiencies?

That was part of the [ongoing] benchmark [we’re conducting]. We asked them to document, before they started their audit, how many overall deficiencies were found, and whether it was found by them or the auditing team they have in place. Then prior to the final audit, how many significant material deficiencies had to be remediated? …

In any survey, in any research, you’re always going to get some people [who] are going to say the best things, and you’ll always have people who have axes to grind. The good thing about statistics is you can throw out the cases that are at the ends of the spectrum, so you can look at normal distributions—and the good news is the distributions were virtually all normal.

We also asked the same kinds of questions in the security domain—how many security deficiencies had to be remediated in the past year? … How many of those resulted in some sort of business loss, whether it was a direct financial lost, or money spent to recover from a problem, or money spent to recover from a lawsuit? … [Those results are forthcoming.]

What did you find with your compliance survey?

Companies spending 10 percent or more of the IT budget on security were universally doing better than the companies spending less than 10 percent on their security budget. The first critical success factor was frequency, the second one was the amount of time spent on compliance, and the third was the security [spending] as a percentage of IT budget.

What’s the goal of the Security Compliance Council’s ongoing surveys and benchmarks?

To provide guidance to organizations and to get as granular as [you can]; if you’re a government agency or in insurance, banking, health care services, or some other industry, and you’re a certain size organization, here’s what the profile of current best practices looks like. … I’m also looking at [security spending] management. … I’m looking at critical success factors that make a difference in results, and the ones that have come through consistently … are measuring, monitoring, and audit.

The key finding we’re going to try and get across through the Council is … to improve your performance. You at least have to get [measuring, monitoring, and auditing] up to once a month, or more.

Is there a simple explanation for why this is so effective?

The more frequently you do it, the more intelligence you have, and the more quickly you’re able to react and make a decision about something that either needs to be fixed immediately or put in abeyance for one month, three months, or six [months].

How quickly does monthly—or more frequent—monitoring pay off?

There is a divergence [in success] that pertains to those organizations that have not yet started their compliance activities versus those that have. … It looks like there’s a great deal of learning in the first six months [which impacts success], but after that it’s very negligible.

Related Articles:

• Q&A: Automating Security Controls for Compliance
• Q&A: Balancing E-Mail Security and Compliance