When it comes to regulatory compliance, companies that spend the most on IT security, and are the most vigilant about their compliance efforts, are the most successful.
That's the result of a study published earlier today by the IT Policy Compliance Group, a collection of compliance experts formed last year to study best practices in regulatory compliance.
The IT Policy Compliance Group, originally known as the IT Security Compliance Council, was founded in 2005 by the Computer Security Institute, the Institute of Internal Auditors, and BindView Corp., which is now part of Symantec. The group announced its new name, a new Website, and a new member -- Protiviti -- today along with the study results.
The report, which tracks spending and compliance data reported by some 520 companies between December 2005 and April 2006, offers some new insights on why enterprises succeed -- or fail -- in their compliance efforts, including Gramm-Leach-Bliley, Sarbanes-Oxley, HIPAA, and many others.
Most companies are facing multiple compliance challenges, the IT Policy Compliance Group says. In fact, the majority of companies that make $500 million or more annually are subject to three or more sets of security-related regulations, according to Jim Hurley, managing director of the IT Policy Compliance Group and a research director at Symantec. Most small and mid-sized companies are subject to at least two, he says.
The compliance battle has proved to be a tough one so far, according to the research. "Only about one in ten companies has reached a best-in-class level, where they have a high level of compliance and a low number of deficiencies," Hurley says. Seven out of ten are on track, but not there yet, and two out of ten "are having real problems" with compliance.
The IT Policy Compliance Group conducted its study to help identify the differences between the "best in class" and the "laggards" in compliance, officials say. The two biggest differentiators were percentage of IT spending on security and the amount of monitoring done by the companies in the study.
According to the research, companies that spend at least 10 percent of their IT budgets on security were generally among the most successful in meeting compliance requirements; the companies that spent 6.5 percent or less tended to be found among the laggards. The actual amount spent on security didn't seem to matter -- it was the ratio of security spending that turned out to be the defining data point.
"This is an interesting result because the top deficiencies we saw in the study weren't necessarily security-related," Hurley notes. "The most common deficiency, for example, was inadequate documentation. But the companies that spend a larger proportion of their IT budgets on security had a higher rate of compliance success."
Most regulatory requirements do have multiple security requirements, however, and meeting security guidelines is a key to passing an audit, he observes.
Another key to compliance success is monitoring, according to the research. The companies in the "best in class" category generally were companies that checked themselves for compliance every 21 days or less; many of the laggards do an audit only once or twice a year.
"What that says is that to be successful in compliance, you've got to find a way to do some automated monitoring," says Hurley. "You can't do it all with people."
The group's research bears out this conclusion: The best in class companies tended to rely more on internal hardware and software for monitoring, and only 26 percent relied heavily on outside contractors. Among the laggards, however, reliance on third parties was about 37 percent.
The IT Policy Compliance Group made a number of recommendations on how to improve compliance and reduce audit issues, but the monitoring issue is key, Hurley says. "If you're not monitoring it, you can't manage it."
Tim Wilson, Site Editor, Dark Reading