Survey Maps Enterprise Data Security Management Turmoil - And How to Stop It
RSA, The Security Division of EMC, recently announced the results of a survey commissioned by RSA entitled "The State of Data Security in North America." Conducted by Forrester Consulting, the survey results reveal that many businesses are still in a 'reactive mode' when deploying data security measures and often struggle with the challenge of creating and implementing planned strategies for data loss prevention. The report - which surveyed almost 200 organizations - also highlights the rising costs and technology implementation hindrances standing in the way of compliance with internal and regulatory policy mandates.
"Organizations are grappling with the 'data security dilemma': how to respond to specific regulatory mandates and pressing issues while laying out a holistic and sustainable strategy for data loss. Too often, the point-solutions being deployed today complicate and can potentially derail long-term efforts to get this right," said Dennis Hoffman, Vice President and General Manager, Data Security Group, and Chief Strategy Officer at RSA, The Security Division of EMC. "The survey demonstrates that securing data has become an information management process that cannot be addressed effectively through unrelated projects and products: that all data must first be identified and classified; that different controls will need to be applied to prevent the data's loss; and that the enterprise-wide management of those controls needs to be as efficient as possible."
Companies Need to Enable Safe Access to Data
The survey showed that the flexibility to make information readily available to partners, customers and distributed workers are top priorities for businesses today. Seventy-five percent of the respondents reported that access to data by remote employees is a top concern, followed next by demands for collaboration and data exchange with partners at sixty-nine percent, and consumer access at sixty-three percent.
Adhering to Internal Policies Considered Critical but Costly
Organizations are cognizant of the imperative to manage and control their data securely and appropriately - as prescribed in many legislative and industry mandates. In fact, sixty-two percent of respondents consider the enforcement of existing company policies on data to be their most pressing driver in ensuring that data is properly secured before it is shared and distributed. However, controlling the rising costs of ongoing compliance with those policies is becoming a burden, and thirty-three percent of the respondents - the majority response to this question - noted the operational costs of compliance are more significant than they would like them to be.
The research also revealed how many organizations have yet to determine what shape their policies should take - and how to implement them effectively:
• Fifty-five percent of respondents have data security policies that are
either outdated or require significant changes to bring them in line
with regulatory and company mandates
• Twenty-seven percent indicated that the policy they have is rarely
enforced
What is Holding Businesses Back
1. Knowing what data you have - and understanding its sensitivity
Determining the scope of how to address company policy requirements
starts with data classification - knowing what data is important and
everywhere it is located.Data classification is essential to
providing proper guidance for a data security strategy and ensuring
focus on the most critical areas so that costs can be contained.
• Fifty-two percent of respondents listed data classification as a
top priority; however, thirty-seven percent of respondents do
not actually have a data classification policy
2. Using Appropriate Data Controls to Prevent Loss or Leakage
Once companies have a data classification policy in place, the next
step is to implement a control strategy to mitigate the associated
risks to their data.Encryption is quickly becoming the de facto
control technology for meeting data security requirements:
• Sixty-two percent of respondents intend to increase their
encryption deployments and sixty-five percent plan to increase
their overall spending on encryption
• Fifty-two percent of respondents intend to increase spending on
information leak prevention technology, another important
control
• However, sixty-two percent of those surveyed either do not have
an encryption policy or strategy at all, or consider their
strategy to be incomplete as it only covers data at rest or data
in transit, but not both.
Implementing a strategy that addresses all aspects of a data security
policy requires an enterprise-wide approach.However, this survey
showed that seventy-eight percent of respondents do not always
approach the adoption of encryption controls from an enterprise-wide
perspective.Instead, they focus more on solving tactical
operational problems increasing the operational costs of deploying
and managing encryption controls.
3. Simplifying the Management of Data Controls
In the survey, the biggest contributor cited to the rising costs and deficient rate of return on investment on encryption was the lack of
enterprise-wide key management.The top three operational issues
with encryption indicated by respondents were in the area of key
management, and over fifty percent of respondents also noted that
these operational problems have had a material impact on the
business.Most organizations polled, fifty-three percent, still rely
on manual processes to deal with key management issues.
"The results of the survey indicate that a comprehensive and
cost-effective approach to data security will help organizations
construct manageable - and repeatable - data loss prevention
processes," Hoffman continued."This framework will enable
enterprises to fully exploit their information's value for business
advantage."
Methodology
In April 2007, RSA commissioned Forrester Consulting to survey North American organizations and ask them about their priorities and activities around data protection. In this online survey:
• Twenty percent of respondents were from companies of between 5,000 and
20,000 people, 21 percent were from organizations of greater than 20,000
employees.
• Twenty-nine percent of respondents were from organizations with
revenues between $1 billion and $10 billion, and 17 percent had revenues of
greater than $10 billion. • All respondents used encryption within their companies, and all
respondents were involved with encryption policy within their company.
• About half of respondents had titles of Chief Security Officer or Chief
Information Security, CIO, IT Director, or VP of IT
The survey, "The State of Data Protection in North America," conducted by Forrester Consulting, can be found online at: http://www.rsa.com/solutions/financial/whitepapers/ForresterStateofDataSecurit yAugust07.pdf.