What Are S&R Pros Doing About Data Security And Privacy?

Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.

So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.

Key findings include:

  • Data security is a top priority and commands a sizable chunk of budget. A majority of organizations (91%) cite data security as a critical or high priority and allocate, on average, 16% of security technology budget to this area. Hot focus areas include database vulnerability assessment, monitoring, and auditing, with 24% of firms planning to invest here, and data leak prevention (DLP), with 22% of firms planning investments in this area.
  • Consumerization fuels data security concerns, but protection is lacking. Data loss and protection are top mobile security concerns. Most firms have policies to address consumerization (85% have a smartphone security policy, and 76% have a tablet security policy), but enforcement tools are lacking. Despite high concerns, many firms are either doing nothing for mobile data protection (23%) or only implementing baseline device security policies (38%) like password entry and remote lock and wipe.
  • Privacy responsibilities go beyond the security group. Data security is primarily a security group responsibility. Privacy responsibility cuts across various business units and groups, and privacy officers and third-party privacy support are also called in to help. Privacy professionals surveyed by the IAPP tell us that top drivers for funding privacy include meeting compliance (54%) and reducing risk of data breach notification and publicized data breaches (50%).

Any surprises? Or does this align with your expectations? Does your organization enlist the support of external privacy experts? And how does your organization approach or use benchmarking data? I’d love to hear from you.

Comments

BYOD and Security

Enterprise security is an incredible challenge today, specifically because the days of "company provided" mobile devices are going the way of the pension plan for most organizations. Sure, you could get a blackberry bought by your company 5 years ago (remember those?), but most organizations aren't spending at the iPhone tablet level.

As mobile malware and password theft issues increase, its our belief that more and more firms will need to require mobile AV and password management services on their devices.

Good read and thanks for the post.
Ed

Thanks Ed

Good points. We've been tracking the demise of company-provided devices as well, and seeing that at some organizations, employees are just bringing in their own devices to use for work purposes regardless of whether or not their corporate IT department supports it.

I became very interested in

I became very interested in mobile/tech security after attending the Mobile Asia Expo in China. I think most people just have no idea how easily their phones, computers and smart tvs can be remotely accessed. Although there are systems/software that companies can use to manage the issue of employee owned devices at work, I think it works in both the employer's and employee's favor to provide secured phones for work purposes. Employers don't have to worry about security leaks and employees don't have to in some cases, unknowingly hand over access/control of their mobile devices to their employers (or whoever is providing free wifi).

No major surprises.

No major surprises. Benchmarking is a critical component of our security program. It is not enough to simply gather statistics such as X% of companies use disk encryption or vendors A and B are the top two recommended Spam filter solutions. Don’t get me wrong, this information is valuable but the “ahas” come from the discussions between security professionals. I want to know why you chose a particular vendor or what led to you making that issue a top priority. How did you secure funding for that project or what was the top lesson you learned after deploying that tool? This is why I am a strong advocate for activities like security councils, local roundtable discussions and other events that bring security experts together to discuss industry activities. The good news is that security professionals are much more open to sharing information than they were 6-8 years ago.