Even as an overwhelming majority of large global enterprises feel vulnerable to data breaches and other security threats, too many organizations continue to approach cybersecurity as a compliance exercise, according to a new survey from the security vendor Vormetric.
In a poll of more than 1,100 security executives around the world, 91 percent of respondents consider their organization to be vulnerable to internal or external data threats.
And yet, 64 percent of respondents express the view that compliance is a "very" or "extremely" effective strategy in staving off data breaches, up six percentage points from last year's survey.
"Compliance does not ensure security," says Vormetric CSO Sol Cates. "It's a bare minimum of security you should have in place."
A slim majority of respondents at 58 percent say that they plan to increase spending on security over the coming year, but they indicate that much of that effort is still motivated by compliance concerns. Executives in heavily regulated industries, where compliance issues cast a long shadow over a company's operations, tended to be the most optimistic that compliance is a path to strong security.
Many of the security executives polled say that they intend to channel their spending in 2016 toward stronger perimeter defenses like network and endpoint security, as well as security-incident and event management.
Those strategies are well and good, as far as they go, but firms like the survey's sponsor that specialize in data security are argue that companies need to do more to protect their sensitive data where it resides.
Data has no defense
"In reality the adversary is really after that data, and we're putting the controls to protect that data itself really down at the bottom of the list," Cates says. "Data is data -- it's ones and zeroes, it doesn't have any built-in defense."
Thirty-nine percent of survey respondents say that they experienced a data breach or flunked a security audit in the past year.
Vormetric touts the effectiveness of tactics like encryption and tokenization, but Cates acknowledges that many companies have some more fundamental work to do to get their house in order. He urges firms to take a thorough inventory of their data assets and access controls -- a task dramatically complicated by the increasing use of third-party contractors and service providers -- and then determine which resources are critically important.
Data classification remains big problem for most businesses
"That's the hardest part is just knowing where is it, who has it. Data classification is still a problem for a lot of organizations," he says. "A lot of organizations, what happens is sprawl. Things are always changing, so unless you have a very good framework and a policy and a process, it becomes really hard to do it."
Sign up for CIO Asia eNewsletters.