Survey Maps Enterprise Data Security Management Turmoil - And How to Stop It

• Aug 23, 2007

RSA, The Security Division of EMC, recently announced the results of a survey commissioned by RSA entitled "The State of Data Security in North America." Conducted by Forrester Consulting, the survey results reveal that many businesses are still in a 'reactive mode' when deploying data security measures and often struggle with the challenge of creating and implementing planned strategies for data loss prevention. The report - which surveyed almost 200 organizations - also highlights the rising costs and technology implementation hindrances standing in the way of compliance with internal and regulatory policy mandates.

"Organizations are grappling with the 'data security dilemma': how to respond to specific regulatory mandates and pressing issues while laying out a holistic and sustainable strategy for data loss. Too often, the point-solutions being deployed today complicate and can potentially derail long-term efforts to get this right," said Dennis Hoffman, Vice President and General Manager, Data Security Group, and Chief Strategy Officer at RSA, The Security Division of EMC. "The survey demonstrates that securing data has become an information management process that cannot be addressed effectively through unrelated projects and products: that all data must first be identified and classified; that different controls will need to be applied to prevent the data's loss; and that the enterprise-wide management of those controls needs to be as efficient as possible."

Companies Need to Enable Safe Access to Data

The survey showed that the flexibility to make information readily available to partners, customers and distributed workers are top priorities for businesses today. Seventy-five percent of the respondents reported that access to data by remote employees is a top concern, followed next by demands for collaboration and data exchange with partners at sixty-nine percent, and consumer access at sixty-three percent.

Adhering to Internal Policies Considered Critical but Costly

Organizations are cognizant of the imperative to manage and control their data securely and appropriately - as prescribed in many legislative and industry mandates. In fact, sixty-two percent of respondents consider the enforcement of existing company policies on data to be their most pressing driver in ensuring that data is properly secured before it is shared and distributed. However, controlling the rising costs of ongoing compliance with those policies is becoming a burden, and thirty-three percent of the respondents - the majority response to this question - noted the operational costs of compliance are more significant than they would like them to be.

The research also revealed how many organizations have yet to determine what shape their policies should take - and how to implement them effectively:

• Fifty-five percent of respondents have data security policies that are either outdated or require significant changes to bring them in line with regulatory and company mandates • Twenty-seven percent indicated that the policy they have is rarely enforced

What is Holding Businesses Back

1. Knowing what data you have - and understanding its sensitivity Determining the scope of how to address company policy requirements starts with data classification - knowing what data is important and everywhere it is located.Data classification is essential to providing proper guidance for a data security strategy and ensuring focus on the most critical areas so that costs can be contained.
• Fifty-two percent of respondents listed data classification as a top priority; however, thirty-seven percent of respondents do not actually have a data classification policy

2. Using Appropriate Data Controls to Prevent Loss or Leakage Once companies have a data classification policy in place, the next step is to implement a control strategy to mitigate the associated risks to their data.Encryption is quickly becoming the de facto control technology for meeting data security requirements:
• Sixty-two percent of respondents intend to increase their encryption deployments and sixty-five percent plan to increase their overall spending on encryption • Fifty-two percent of respondents intend to increase spending on information leak prevention technology, another important control
• However, sixty-two percent of those surveyed either do not have an encryption policy or strategy at all, or consider their strategy to be incomplete as it only covers data at rest or data in transit, but not both. Implementing a strategy that addresses all aspects of a data security policy requires an enterprise-wide approach.However, this survey showed that seventy-eight percent of respondents do not always approach the adoption of encryption controls from an enterprise-wide perspective.Instead, they focus more on solving tactical operational problems increasing the operational costs of deploying and managing encryption controls.

3. Simplifying the Management of Data Controls In the survey, the biggest contributor cited to the rising costs and deficient rate of return on investment on encryption was the lack of enterprise-wide key management.The top three operational issues with encryption indicated by respondents were in the area of key management, and over fifty percent of respondents also noted that these operational problems have had a material impact on the business.Most organizations polled, fifty-three percent, still rely on manual processes to deal with key management issues. "The results of the survey indicate that a comprehensive and cost-effective approach to data security will help organizations construct manageable - and repeatable - data loss prevention processes," Hoffman continued."This framework will enable enterprises to fully exploit their information's value for business advantage." Methodology

In April 2007, RSA commissioned Forrester Consulting to survey North American organizations and ask them about their priorities and activities around data protection. In this online survey:

• Twenty percent of respondents were from companies of between 5,000 and 20,000 people, 21 percent were from organizations of greater than 20,000 employees.
• Twenty-nine percent of respondents were from organizations with revenues between $1 billion and $10 billion, and 17 percent had revenues of greater than $10 billion. • All respondents used encryption within their companies, and all respondents were involved with encryption policy within their company. • About half of respondents had titles of Chief Security Officer or Chief Information Security, CIO, IT Director, or VP of IT

The survey, "The State of Data Protection in North America," conducted by Forrester Consulting, can be found online at: http://www.rsa.com/solutions/financial/whitepapers/ForresterStateofDataSecurit yAugust07.pdf.