Regulatory compliance is often viewed as a burden, imposing strict criteria on how IT operations should run to ensure data protection and privacy. eSecurity Planet‘s 2019 State of IT Security survey found a surprising attitude toward compliance, however – rather than fearing such regulations, most organizations are confident in their ability to meet compliance demands.
Just over 76 percent of survey respondents said they are either somewhat confident (44.9 percent) or very confident (31.4 percent) that their organization is properly meeting all its compliance requirements.
Confidence in compliance was high across all company sizes. For organizations with 10,000 or more employees, 76 percent were either somewhat confident or very confident. For organizations with fewer than 500 employees, confidence in their compliance abilities hit 81 percent.
The confidence stands in marked contrast to the months leading up to last year’s implementation deadline for the EU’s General Data Protection Regulation (GDPR), when companies were struggling to meet the demands of the strict data privacy law. While compliance is improving, about 24 percent of organizations are still getting up to speed on the new law and other compliance requirements.
Compliance controls face mixed adoption
Giving further credence to organizations’ confidence is that 76 percent of survey respondents said that any breach they may have had was not the result of a failed or misconfigured security control, suggesting that organizations are largely staying on top of patches and other critical security vulnerabilities.
One of the key technologies often involved in helping organizations comply with such regulations is GRC (governance, risk and compliance) technology, which helps manage and track organizational compliance efforts. Across all organizations, only about 21 percent of organizations have or plan to purchase GRC tools in the next 12 months, a potential weak spot for compliance efforts.
Data loss prevention (DLP) tools are also often a core element of an organization’s compliance efforts, with the ability to identify and protect sensitive information, including personally identifiable information (PII). About 35 percent of organizations have DLP tools, and another 21 percent plan to add them in the next 12 months, tied with network access control (NAC) for the highest spending priority in the survey.
The need to meet regulatory requirements is contributing to an overall increase in IT security spending, with 54 percent of companies reporting that they will increase their IT security spending this year, and 30 percent saying they will increase their spending by 10 to 20 percent or more.
While the majority of respondents to the eSecurity Planet survey are confident in their organization’s ability to meet regulatory requirements, there are still some areas of concern.
Consider adopting GRC technology
Managing compliance with a spreadsheet is not an ideal way to deal with the complexity of modern regulations like GDPR. GRC tools can help organizations automate and monitor compliance efforts in an auditable manner.
With the ever-expanding landscape of compliance requirements, there is often overlap across different compliance regimes. For example, there are multiple areas of overlap between GDPR and the California Consumer Privacy Act (CCPA), set to take effect in January 2020.
With a GRC tool, an organization can map the overlap across different regulations against deployed security controls.
Compliance is ongoing
While compliance audits are often conducted at set points in time, compliance with regulations like GDPR should not be a point in time effort.
It’s not hard for systems to fall out of compliance due to system updates or organizational changes. As such, ongoing efforts are needed to monitor and make sure that compliance is maintained with every change and update of IT systems.
Change management, patch management and IT Service Management (ITSM) processes, in addition to GRC, can help organizations maintain the operational discipline needed to continuously maintain compliance.
Limit data collection
For privacy regulations like GDPR and the upcoming CCPA, regulators are specifically concerned about personally identifiable information.
Modern applications have a tendency to collect as much information as possible about users, but that might not always be necessary. Privacy advocates generally recommend that if data is not needed and doesn’t serve a purpose within an organization, there is no need to collect it.
By restricting data collection to data that will be needed and used, an organization can potentially reduce its compliance risk.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.