One in 10 Organizations Properly Protects Data

New research outlines key steps to protect sensitive data

CUPERTINO, Calif. -- The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled "Core Competencies for Protecting Sensitive Data." The report, which incorporates responses from more than 450 organizations globally, concludes that only one in 10 organizations is in the enviable position of adequately protecting their sensitive data. The report also analyzes the variables between those companies that are leaders and laggards in the area of data protection, providing insight into best practices that can lead to better data protection, improved compliance and sustained competitive advantage.

One of the most striking findings from the research is the correlation between the protection of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organizations with the least loss of sensitive data are the exact same organizations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organizations with the most loss of sensitive data are the same organizations with the largest number of regulatory compliance deficiencies that must be corrected to pass audit.

The core competencies identified in this report fall into the categories of organizational structure and strategy, customer intimacy and operational excellence. By analyzing the firms with the least amount of sensitive data loss (leaders) and those that experience the most amount of data loss (laggards), one can see the importance of defining fewer policies or control objectives, pursuing more frequent assessments and leveraging IT change management to prevent unauthorized use or change.

  • Leaders define an average of 30 control objectives and conduct assessments once every 19 days. These firms experience two or fewer data losses and thefts annually, and two or fewer compliance deficiencies annually.

  • Laggards define an average of 82 control objectives and conduct assessments once every 230 days. Laggards experience 13 or more data losses and thefts annually and 22 or more compliance deficiencies annually.

"Several recent events have demonstrated how damaging the loss of data can be to an organization's reputation and strategic objectives. It is critical to ensure that risk-based controls are in place to deter data loss and theft, and that those controls are regularly tested," said Lynn Lawton, CISA, FCA, FIIA, PIIA, FBCS CITP, international president of ISACA. "Successful organizations focus on selecting the most relevant controls, instead of simply implementing a large number. The survey results clearly demonstrate that selecting, implementing and communicating the key controls, and regularly assessing their effectiveness, is a more practical approach and gets better results than constantly adding to a complex maze of uncoordinated isolated controls."

IT Policy Compliance Group, USA

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Shikha Kothari, Senior Security Adviser, Eden Data