BEDFORD, MA and REDMOND, WA– April 5, 2010 — RSA, The Security Division of EMC (NYSE: EMC) and Microsoft (MSFT) today announced the results of a commissioned global survey conducted by Forrester Consulting on behalf of RSA and Microsoft, entitled “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk.” The survey of 305 IT security decision-makers worldwide revealed that enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), but under-investing in protection against theft of far more valuable trade secrets.
Security spending mis-aligned with information value
“Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. “Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs,” according to Forrester Consulting’s study. “But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”
“Companies are spending money to protect customer, medical and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value to an organization,” said Sam Curry, CTO, Marketing, RSA, The Security Division of EMC. “If IP is lost, it can cause long term competitive harm to an organization. The recent and highly-sophisticated attacks targeting intellectual property of large multinational companies are examples of this type of loss.”
Information theft is more costly than accidental loss
The survey revealed that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is ten times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
“Insider risk is a real and growing threat and the modern enterprise environment of collaboration with a variety of outside parties creates more opportunities for leakage and theft,” said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. “This data illustrates that the more a company has to lose in terms of information value, the more criminal activity it will face.”
A need for real assessment and measurement of information security
Despite a wide range in security spending, views on the value of information and number of incidents, nearly every company rated its security controls to be equally effective.
“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “‘Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”
Together, Forrester, Microsoft and RSA are providing a set of recommendations within the study to help enterprises ensure that their information security strategies are appropriately balanced, including:
Identify the most valuable information assets in the company’s portfolio
Create a “risk register” of data security risks that documents specific threat scenarios
Assess and reprioritize the IT security program’s balance between compliance and protecting secrets
Increase vigilance of external and third-party business relationships
Measure data security program effectiveness
The Forrester Consulting Study sponsored by RSA and Microsoft is available at www.rsa.com/CorporateSecrets and http://www.microsoft.com/DLP.
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle — no matter where it moves, who accesses it or how it is used.
RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
This press release is available in Social Media Format.