I read a very interesting Forrester report last week commissioned by Microsoft and RSA. It was based on a survey of 305 IT security decision makers and assesses data security practices at enterprises around the world.
A key takeaway from the report is the fact that compliance, not security, drives security budgets. I don’t think this will shock anyone, but it’s worth thinking about. As most of us know, it’s easier to justify a security project based on a mandate (SOX audit deficiency!) than to explain the business value of a security investment (I’m not talking ROI here, but the value of avoiding or mitigating potential threats and their consequences). In recent years, regulatory mandates have fueled an almost recession-proof level of investment in security products and services that shows no sign of slowing down.
Everything would be hunky-dory if the security investments justified by SOX et al. were perfectly aligned with the security needs of the organization, but evidently they’re not (here’s where the Forrester reports gets interesting). Using data protection as a case in point, the report shows that the great majority of enterprises do not align their security spending to the factors that pose the greatest business risk. In fact, enterprises are more likely to fund projects that address low-impact accidental breaches rather than high-impact breaches (such as malicious theft by insiders).
Whether you agree with the report or not, it’s worth a quick read. It’s got some interesting quantitive data on incidents and cost of incidents. This level of information is what is required to assess risk and align security controls appropriately – but it’s also the data that is oftentimes hard to come by.
The report is a great reminder that we shouldn’t let the “ready built” justification provided by compliance to prevent us from doing the real work of security, which is risk management.