Organizations Prioritize Regulatory Compliance Over Risk Assessment, Study Says

2018 appears to be the year of regulatory compliance, threatening to hinder all IT initiatives and projects. Whether it’s The Payment Card Industry Data Security Standard (PCI DSS), the banking sector’s PSD2 (Revised Payment Service Directive), NIST for federal agencies or the EU’s boogey-man - Global Data Protection Regulation (GDPR), organizations worldwide are struggling to meet all industry-specific guidelines and recommendations to avoid substantial fines following an incident.

All these directives will change the landscape utterly, and some have even instilled legitimate fear in enterprises. According to a Voice of the Enterprise survey released by 451 Research, 35 percent of organizations have made regulatory compliance a top priority in 2018 and 21 percent see it as a major concern, while 23 percent consider it a decisive factor in moving forward with security projects.

User behavior leads the way when it comes to information security pain points (29%), followed by compliance-related costs and requirements (21%), staffing information security (20%), cloud security (19%) and lack of budget (18%).

While only three years ago risk assessment was vital in getting approval for information security projects, regulatory compliance requirements have gone up on the approval and priority list (23%), now followed by risk assessment (22%), according to security managers.

When asked about their top information security projects in the upcoming 12 months, besides focusing on regulatory compliance, 19 percent said they would focus on security awareness initiatives, 18 percent on cloud infrastructure security, 17 percent on security information, event management and security analytics and 16 percent on vulnerability assessment.

“Our organization is increasingly becoming a target for spearfishing and whale fishing… What we're wanting to do, really, is get ahead of the curve there, just to make sure that we're protecting our valuable identities,” said a senior manager working in a software, IT & computer services company that employs 500-999 people.  “We're focusing on VPs and EVPs, but this is also going to be working with system administrators, high-level security personnel like myself, folks who are involved in application management, and server management.”

Over the past two years, organizations have become more security-conscious, increasing spending on security solutions for their endpoints. Enterprises with over 10,000 employees have an average of four endpoint security solutions, while smaller businesses have an average of three, says the report. The problem is that, the larger the company, the more risks and the more difficulty it faces in detecting attacks.

Overall, tech teams take roughly 7.7 hours to clean up malware every week, while large enterprises with over 10,000 employees will allocate 13.5 hours every week. But endpoint security solutions can help eliminate malware and fix the network following a security incident. In fact, 46 percent said their endpoint security solutions came in handy when dealing with general malware outbreaks.