Even as an overwhelming majority of large global enterprises feel vulnerable to data breaches and other security threats, too many organizations continue to approach cybersecurity as a compliance exercise, according to a new survey from the security vendor Vormetric.
In a poll of more than 1,100 security executives around the world, 91 percent of respondents consider their organization to be vulnerable to internal or external data threats.
And yet, 64 percent of respondents express the view that compliance is a "very" or "extremely" effective strategy in staving off data breaches, up six percentage points from last year's survey.
"Compliance does not ensure security," says Vormetric CSO Sol Cates. "It's a bare minimum of security you should have in place."
[ Related: Compliance does not equal security ]
A slim majority of respondents at 58 percent say that they plan to increase spending on security over the coming year, but they indicate that much of that effort is still motivated by compliance concerns. Executives in heavily regulated industries, where compliance issues cast a long shadow over a company's operations, tended to be the most optimistic that compliance is a path to strong security.
Many of the security executives polled say that they intend to channel their spending in 2016 toward stronger perimeter defenses like network and endpoint security, as well as security-incident and event management.
Those strategies are well and good, as far as they go, but firms like the survey's sponsor that specialize in data security are argue that companies need to do more to protect their sensitive data where it resides.
Data has no defense
"In reality the adversary is really after that data, and we're putting the controls to protect that data itself really down at the bottom of the list," Cates says. "Data is data -- it's ones and zeroes, it doesn't have any built-in defense."
Thirty-nine percent of survey respondents say that they experienced a data breach or flunked a security audit in the past year.
Vormetric touts the effectiveness of tactics like encryption and tokenization, but Cates acknowledges that many companies have some more fundamental work to do to get their house in order. He urges firms to take a thorough inventory of their data assets and access controls -- a task dramatically complicated by the increasing use of third-party contractors and service providers -- and then determine which resources are critically important.
Data classification remains big problem for most businesses
"That's the hardest part is just knowing where is it, who has it. Data classification is still a problem for a lot of organizations," he says. "A lot of organizations, what happens is sprawl. Things are always changing, so unless you have a very good framework and a policy and a process, it becomes really hard to do it."
Too many firms, Cates says, haven't completed what he calls the "blocking and tackling" of data discovery and classification. After taking a hard look at the data assets, many firms conclude with confidence that only around 10 percent to 20 percent of their data assets might be considered mission-critical, and therefore in need of the strongest protection.
"Not everything is valuable. In most organizations it's a very small percentage that's very valuable," Cates says.
[ Related: Study: Compliance biggest cloud security challenge ]
Even as firms like Vormetric urge companies to become more vigilant in locking down their data, the security units of an organization cannot operate in a vacuum. Cates stresses the importance of the CISO partnering from the outset with the CIO -- and by extension the business side of the house -- to strike an appropriate balance of data security that does not unduly hinder the mission.
"You've really got to make sure security is step 1, because it's really hard to retrofit security in after the train's left the station," Cates says. That process must be collaborative, he says, appealing for the security wing of the enterprise to show a measure of restraint and develop a data policy that respects the legitimate business concerns of access and usability. "Don't break the business -- rule number 1 as a CISO is you can't break the business."