More than 70% of Fortune 1,000 companies in the US are increasing their security budgets to meet regulatory and audit compliance requirements such as Sarbanes-Oxley and the Payment Card Industry (PCI) data security standard.
Most of the compliance-related spending is on policy and process changes, followed by software purchases and encryption technologies, according to a survey of 147 IT managers at Fortune 1,000 companies by New York-based consultancy TheInfoPro (TIP). The results show that compliance has become arguably the biggest driver of security spending in corporate America, with the UK and Europe likely to follow the trend.
Behind the spending increases are growing concerns about the consequences stemming from data breaches and data losses. The legal need for public admission of data loss in the US means companies can see their reputations damaged overnight by data breaches. In Europe, however, the disclosure laws are less strict.
One of the key drivers of compliance efforts is the need to safeguard credit and debit card data – 62% of the respondents said they are planning to implement PCI-related processes and systems this year.
The survey results back up the conclusions of a report from Forrester Research in January, which estimated that most companies will spend between 7.5% and 9% of their IT budgets on security as the continuing shift from a purely strategic IT-centric security model to a more business-focused stance drives the need for more investments in processes and tools.
Although much of the compliance legislation has been unnecessarily complex and heavy-handed – Sarbanes-Oxley, for example, has created a new industry of compliance consultants – it is clear that this compliance focus has had welcome spin-off benefits in terms of new security policies and processes, and in general, a new security awareness.
Comment on this article: firstname.lastname@example.org