While many IT departments are spending significantly on compliance and protection from accidental leaks of "custodial data," most are not investing enough in protecting their organizations' most important secrets. That's according to a new Forrester Consulting survey funded by Microsoft and RSA.

According to the researchers, who surveyed 305 IT security decision makers globally, two types of business data need to be secured. Those include "secrets that confer long-term competitive advantage, and custodial data assets that they are compelled to protect."

To Forrester, secrets include information such as product plans, earnings forecasts, and trade secrets, while custodial data includes customer, medical, and payment card information that becomes "toxic" when stolen or exposed.

"Significant percentages of enterprise budgets (39 percent) are devoted to compliance-related data security programs ... But secrets comprise 62 percent of the overall information portfolio’s total value while compliance-related custodial data comprises just 38 percent, a much smaller proportion," an overview of the study said.

"This strongly suggests that investments are overweighed toward compliance," the overview continued.

Refocusing corporate cyber security while maintaining compliance

In the report, Forrester, Microsoft (NASDAQ: MSFT) and RSA, the security division of EMC (NYSE: EMC), provided a set of recommendations to help IT security organizations address rebalancing security priorities.

For instance, decision makers should identify which information is the most valuable. Additionally, they should assess the balance between protecting custodial data and secrets data.

Another smart move would be to "create a 'risk register' of data security risks [that] divides the risks your firm faces into two categories: compliance risks and misuse of secrets."

"Further, IT security professionals should also evaluate third-party relationships, especially in cases where sharing of critical data is required," the report said. "Consider data sharing strategies that don't require third parties to store data on their devices, such as client virtualization."

The survey, which was carried out in November and December, polled 163 U.S.-based companies and 102 European companies, as well as 40 based in Australia and New Zealand. The companies surveyed all employ more than 5,000 people, according to Forrester.

The findings represent the latest effort by Microsoft and RSA, both security software vendors. The two collaborated as recently as a year and a half ago on more closely integrating their data protection products.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.