More than 70% of Fortune 1,000 companies in the US are
increasing their security budgets to meet regulatory and audit
compliance requirements such as
Sarbanes-Oxley and the
Payment Card Industry (PCI) data security
standard.
Most of the compliance-related spending is on policy and process
changes, followed by software purchases and encryption
technologies, according to a survey of 147 IT managers at Fortune
1,000 companies by New York-based consultancy TheInfoPro (TIP). The
results show that compliance has become arguably the biggest driver
of security spending in corporate America, with the UK and Europe
likely to follow the trend.
Behind the spending increases are growing concerns about the
consequences stemming from data breaches and data losses. The legal
need for public admission of data loss in the US means companies
can see their reputations damaged overnight by data breaches. In
Europe, however, the disclosure laws are less strict.
One of the key drivers of compliance efforts is the need to
safeguard credit and debit card data – 62% of the respondents said
they are planning to implement PCI-related processes and systems
this year.
The survey results back up the conclusions of a report from
Forrester Research in January, which estimated that most companies
will spend between 7.5% and 9% of their IT budgets on security as
the continuing shift from a purely strategic IT-centric security
model to a more business-focused stance drives the need for more
investments in processes and tools.
Although much of the compliance legislation has been
unnecessarily complex and heavy-handed – Sarbanes-Oxley, for
example, has created a new industry of compliance consultants – it
is clear that this compliance focus has had welcome spin-off
benefits in terms of new security policies and processes, and in
general, a new security awareness.
Best practices for retaining data in a regulated business
environment
Comment on this article:
computer.weekly@rbi.co.uk