Report: Increased Spending on Compliance Not Helping Security
A global survey of 750 IT decision-makers suggests that increased spending on compliance isn’t doing much to improve the security posture of organizations.
Conducted by Vanson Bourne on behalf of Tanium, a provider of endpoint management tools, the survey finds organizations have spent on average $70.3 million each to comply with data privacy regulations such as the General Data Protection Regulation (GDPR) enacted by the European Union (EU) and the California Consumer Privacy Act (CCPA).
Regardless of spending, however, endpoint visibility remains both a major compliance and cybersecurity issue. Nearly half (47%) said they have issues with endpoint visibility, while 37% cited lack of visibility and control across endpoints as the biggest barrier to maintaining regulatory compliance. Nearly all IT decision-makers (94%) admit to having discovered endpoints in their organization that they didn’t know existed and more than half (53%) said the lack of visibility leaves them more open to cybersecurity attacks.
That issue persists even though organizations employ 43 IT security and operations tools on average. Despite all those tools, however, 39% of survey respondents admitted there is a lack of unity among IT, operations and cybersecurity teams within their organization.
Chris Hallenbeck, chief information security officer for the Americas at Tanium, said all those tools in many ways also contribute to a false sense of security. Despite a lack of visibility into endpoints, 90% of respondents said they are certain their organization could report all required breach information to a supervisory authority within 72 hours.
In general, Hallenbeck said there is a world of difference between being able to pass an audit and being able to secure an IT environment. Most organizations don’t really understand what data they have and how it’s being used. As such, it’s still relatively common for a laptop loaded with unencrypted data to go missing, for example, he said.
Most organizations won’t address their data hygiene issues until the fines that are levied for violating various data privacy laws start to increase, he added.
In the meantime, too many organizations will continue to conflate investments in meeting compliance regulation requirements and the overall cybersecurity posture of their organization. Being able to check a box during an audit does not mean the IT environment is secure, said Hallenbeck, noting it’s not uncommon for most organizations to start to backslide on how data is processed and managed once an audit is complete.
On the upside, Hallenbeck noted that as more organizations start to make investments in various digital business initiatives, it is apparent cybersecurity is becoming a bigger concern. It’s just not clear how much those concerns are leading to increased investments in cybersecurity.
Of course, the biggest issue remains culture. Until organizations start routinely implementing best practices for data management, there will continue to be large numbers of data breaches. There may never be such a thing as “perfect security.” However, right now it’s just too easy for a data breach to occur regardless of how much money is currently being invested in achieving compliance with regulatory mandates.
