[Itpolicy-np] Info-sec Fact -- NOW Study: Compliance IS a Huge Waste of Money!

Thu Sep 2 05:26:02 GMT 2010

(Source: http://www.cmswire.com/cms/enterprise-cms/study-corp-compliance-a-huge-waste-of-money--007201.php
)

Earlier we referenced a recent report  that indicated that companies
are spending too much time on compliance and not enough on protecting
secrets. We thought we’d take a closer look and examine the study’s
implications in the enterprise.

The Value Of Corporate Secrets: How Compliance And Collaboration
Affect Enterprise Perceptions Of Risk surveyed 305 IT security
decision-makers to understand how enterprises value and protect their
enterprise information portfolios.

(The PDF) http://www.rsa.com/document.aspx?id=10844
...

Increasing Demands, Misguided Priorities

Though chief information security officers (CISO) face increasing
demands from their business units, regulator and business partners to
safeguard their information assets, their priorities are misdirected.
The study revealed that enterprises devote 80% of their security
budgets to compliance and securing sensitive corporate information,
with the same percentage (about 40%) devoted to each.

In comparison, secrets comprise 62% of the overall information
portfolio’s total value and compliance related custodial data
comprises just 38%, a much smaller proportion.

Additionally, executives seem to underestimate the value of their
information. While losing laptops and other information accidentally
is never good, losing it through more malicious means is far worse.

Overall, executives don’t realize how effective their security
controls are. No matter the information asset value, spending, or
number of incidents observed, nearly every company rated its security
controls to be equally effective — even though the number and cost of
incidents varied widely.

Even enterprises whose information has been compromised rated their
programs as “very effective.” Obviously there are definitive
misconceptions when it comes to enterprise security.
Information at Risk

But just what kind of information is going unprotected and is at risk of theft?

The report says that secrets and custodial data are at greatest risk.
Secrets are proprietary company information that generates revenue,
increases profits and maintains competitive advantage.

Custodial data, such as customer, medical and payment card information
has value because regulations or contracts make it toxic when spilled
and costly to clean up.

Secrets are usually the information that the enterprise create and
want to keep from being released publicly. Yet, secrets aren’t always
well organized and managed, making it easier to lose and steal.

Of course, it’s silly to think that companies want to lose any data.
Losing custodial data isn’t ideal either for obvious reasons like
undermining privacy issues and a company’s reputation.
Wasting Time and Money

Because companies underestimate the value of their data, mismanage
company secrets and overestimate the security controls in place, it’s
no surprise that they are wasting lots of time and money.

As well, the cost of losing data is even greater. The study showed
that the total cost for all lost smartphone incidents was US$ 134,000,
with about half incurring minimal or no costs. The average cost per
incident was US$ 12,000.

Lost laptop incidents incurred slightly more cost and were slightly
more serious, with a total cost of US$ 179,000 and a per-incident cost
of US$ 26,000. Accidental leakages incurred just US$ US174,000 in
total cost and had a per-incident cost of  $26,000.

http://www.cmswire.com/images/Value_corporate_secrets_cost.jpg

But that’s pennies compared to the costs associated with malicious
theft by insiders and third parties. When a rogue employee steals
sensitive company documents, it costs US$ 363,000 per incident. And
damage caused by a rogue IT administrator costs US$ 452,000 on a
per-incident basis.
Bottom Line

Increased collaboration increases data security’s importance. Across
the enterprise, companies can manage their information more securely
by identifying threat scenarios and assessing the types of information
given to third parties, especially the extent to which they are stored
on non-company-owned assets. Ultimately paying closer attention and
regularly monitoring security controls money can be saved while
limiting risk.