Supporting the “lack of teeth” theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.

Lobel offers a third factor: “There’s just a lot of regs for these guys to deal with.” Indeed, security mandates so far have targeted specific threats, industries or niches without a single overarching standard for companies to aim for. In this survey, we listed 43 regulations, all of which some respondents said they needed to comply with, and some respondents even added ones we didn’t put on the list. Inevitably, companies will prioritize their limited resources to comply with those they consider most pressing and let others go.

But the point remains: The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven’t had the intended effect, at least on information security.

Safe Deposits

The financial services industry takes care of security business better than the rest of us. Learn from their best practices.

For the past two years we’ve highlighted a best practices group, culled from those respondents who professed that they were “very confident” in their information security. This year, our best practices group is not sorted by confidence, but rather pulled directly from one industry—financial services.

The financial services sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems. The stakes are higher, the risks are higher, so the information security protection must be higher too.

To an extent, the data supports the idea that companies in the money business tend to be more strategic and more secure than the rest of us, and, it turns out, even more confident. Another factor that helps financial companies excel is that they tend to be bigger, and bigger companies usually have more resources. (Then again, bigger companies often have a harder time with governance, and financial services companies, by this data, show strong organization.)

But we also chose the financial services sector as a best practices group for several other reasons. The stakes are fiercely high in a business shooting huge sums of money around IT networks. Also, financial services companies already use risk models, returns on investment and other strategic tools in other parts of the business and have begun to apply those same tools to information security. Finally, the financial community knows regulations and has for a long time. When it comes to information security, the financial services industry is in a position where everyone else is headed.