Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Compliance Keys: Money, Monitoring

New study shows direct relationship between compliance success and security investment, monitoring

When it comes to regulatory compliance, companies that spend the most on IT security, and are the most vigilant about their compliance efforts, are the most successful.

That's the result of a study published earlier today by the IT Policy Compliance Group, a collection of compliance experts formed last year to study best practices in regulatory compliance.

The IT Policy Compliance Group, originally known as the IT Security Compliance Council, was founded in 2005 by the Computer Security Institute, the Institute of Internal Auditors, and BindView Corp., which is now part of Symantec. The group announced its new name, a new Website, and a new member -- Protiviti -- today along with the study results.

The report, which tracks spending and compliance data reported by some 520 companies between December 2005 and April 2006, offers some new insights on why enterprises succeed -- or fail -- in their compliance efforts, including Gramm-Leach-Bliley, Sarbanes-Oxley, HIPAA, and many others.

Most companies are facing multiple compliance challenges, the IT Policy Compliance Group says. In fact, the majority of companies that make $500 million or more annually are subject to three or more sets of security-related regulations, according to Jim Hurley, managing director of the IT Policy Compliance Group and a research director at Symantec. Most small and mid-sized companies are subject to at least two, he says.

The compliance battle has proved to be a tough one so far, according to the research. "Only about one in ten companies has reached a best-in-class level, where they have a high level of compliance and a low number of deficiencies," Hurley says. Seven out of ten are on track, but not there yet, and two out of ten "are having real problems" with compliance.

The IT Policy Compliance Group conducted its study to help identify the differences between the "best in class" and the "laggards" in compliance, officials say. The two biggest differentiators were percentage of IT spending on security and the amount of monitoring done by the companies in the study.

According to the research, companies that spend at least 10 percent of their IT budgets on security were generally among the most successful in meeting compliance requirements; the companies that spent 6.5 percent or less tended to be found among the laggards. The actual amount spent on security didn't seem to matter -- it was the ratio of security spending that turned out to be the defining data point.

"This is an interesting result because the top deficiencies we saw in the study weren't necessarily security-related," Hurley notes. "The most common deficiency, for example, was inadequate documentation. But the companies that spend a larger proportion of their IT budgets on security had a higher rate of compliance success."

Most regulatory requirements do have multiple security requirements, however, and meeting security guidelines is a key to passing an audit, he observes.

Another key to compliance success is monitoring, according to the research. The companies in the "best in class" category generally were companies that checked themselves for compliance every 21 days or less; many of the laggards do an audit only once or twice a year.

"What that says is that to be successful in compliance, you've got to find a way to do some automated monitoring," says Hurley. "You can't do it all with people."

The group's research bears out this conclusion: The best in class companies tended to rely more on internal hardware and software for monitoring, and only 26 percent relied heavily on outside contractors. Among the laggards, however, reliance on third parties was about 37 percent.

The IT Policy Compliance Group made a number of recommendations on how to improve compliance and reduce audit issues, but the monitoring issue is key, Hurley says. "If you're not monitoring it, you can't manage it."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.