Microsoft and RSA, the Security Division of EMC, recently commissioned a Forrester Consulting survey of enterprise security managers about information protection. The results are available in a white paper called "The Value of Corporate Secrets," available here on Microsoft.com - see Technical Resources. We issued a joint press release about it, too, available here. (Microsoft and RSA have a strategic partnership around information protection solutions, announced more than a year ago.)
The most interesting finding of the survey of 305 security decision makers around the world is that while enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), they are under-investing in protection against theft of trade secrets (intellectual property)....which is much more valuable.
“Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs,” according to Forrester Consulting’s study. “But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”
Below is a short video of RSA’s Sam Curry discussing the survey results.
The survey also revealed that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is ten times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
Despite a wide range in security spending, views on the value of information and number of incidents, nearly every company rated its security controls to be equally effective.
“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “‘Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”
Read the white paper for recommendations from Forrester, Microsoft and RSA to better ensure your information security strategies are appropriately balanced, including:
Identify the most valuable data assets in your company's portfolio.
Create a "risk register" of data security risks that documents specific threat scenarios.
Asses and re-prioritize your IT security program's balance between compliance and trade secrets
Increase vigilance of external and third party business relationships
Measure data security program effectiveness.
I agree with this assessment and believe that we need to continue to focus our efforts in protecting what's most important.