http://www.informationweek.com/news/showArti
cle.jhtml?articleID=1966
01378
Given Symantec were part of this group recomending not
spending
money on expensive consultants I guess they are disbanding
their
own security consulting team?
By Larry Greenemeier
InformationWeek
Dec 4, 2006
Companies most likely to successfully navigate today's
regulatory
environment need to automate IT security functions rather
than blow
their budgets on pricey consultants or services, and they
need to
do more frequent auditing of the systems and data security.
So says
the IT Policy Compliance Group Monday in its latest report
on the
relationship between regulatory compliance and IT security
spending.
The group, formed last year by the Computer Security
Institute, the
Institute of Internal Auditors, and Symantec and formerly
known as
the Security Compliance Counsel, began its study assuming
that
larger organizations had more resources to throw at any
given
compliance project. While this is true, they were surprised
to
learn that larger organizations don't necessarily perform
better
than their smaller counterparts when it comes to actually
achieving
compliance, says Jim Hurley, managing director of the IT
Policy
Compliance Group and a director of research for Symantec.
"It's not
a matter of resources, it's what you do with them," he
adds.
Nothing has driven spending on IT security products and
services
over the past few years more than the need to comply with a
flurry
of new regulations flowing out of Washington, including the
Health
Information Portability and Accountability Act,
Sarbanes-Oxley, and
Gramm-Leach-Bliley. Last week saw the debut of the newly
amended
Federal Rules of Civil Procedure, which force companies to
better
manage electronically stored information that can be used as
evidence in civil court cases. There have been 114,000 new
regulations introduced in North America alone since 1981,
Adam
Losner, VP of finance for the Securities Industry Automation
Corp.,
said at a September IT Policy Compliance Group meeting at
the
Interop show in New York. Next year, expect a federal data
breach
notification law to be added to the list.
The IT Policy Compliance Group's study, which surveyed the
spending
patterns of 876 organizations, found that those most
successful in
meeting compliance demands are spending $1 on IT security
for every
$30,000 in revenue, assets under management, or agency
budget,
depending upon the type of organization. Those lagging
behind in
terms of compliance are spending $1 on IT security for every
$90,000.
Only about 11% of the organizations surveyed reported that
they've
suffered fewer than three compliance problems in the past
year.
Nearly 70% experience between three and 15 IT compliance
problems
annually, while the rest had to correct as many as hundreds
of IT
compliance deficiencies in a single year, a situation that
can lead
to fines as well as the siphoning of resources from other
important
IT projects.
Hurley says a good rule of thumb for compliance spending is
to
allocate more than 10% of the overall IT budget on security
systems, including configuration change management systems,
as well
as auditing, monitoring, and reporting tools. Other helpful
investments include software for managing IT security
policies,
standards, controls, and documentation. Another key to
successful
compliance, the group found, is regular auditing. Those that
audited the security of their systems monthly were far more
successful at achieving compliance than those who audited
only once
annually.
Hand in hand with this was the observation that
organizations are
better served spending their security dollars on hardware
and
software such as configuration and change management
applications,
antivirus, user-access control systems, and reporting tools,
which
facilitate more frequent audits, rather than spending the
money to
hire more contractors and outside services. Organizations
with the
fewest compliance problems are spending 9% more to automate
audit
functions and 11% less on contractors and outside services.
IT leadership also is an important ingredient in achieving
and
maintaining compliance. "At the board level, executives
want to
know their level of risk related to compliance, so [chief
information security officers], chief privacy officers, and
chief
risk officers have to be able to connect spending on IT
security
with meeting the demands of various regulations," says
Rocco
Grillo, director of the security practice at risk-assessment
firm
Protiviti, which Monday officially joined the IT Policy
Compliance
Group.
Concerned about your privacy? Instantly send FREE secure
email, no account required
http://www.hushmai
l.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com
?l=485
|