Part 2 of CXO Priorities | COMPLIANCE

Most organizations face a "relatively high" risk of suffering a data loss that would expose them to extremely embarrassing publicity, according to the latest assessments by the IT Policy Compliance Group. And things can get very bad indeed, with the worst laggards on compliance routinely suffering 17 or more disruptions annually from IT security events.

How well each individual organization mitigates that risk depends on how it complies not only with its own policies but also with a host of regulatory and industry governance requirements on the handling and custody of sensitive data.

But while compliance may be a priority and most CIOs may be well aware of their responsibilities in this area, the picture on how well they manage compliance remains depressingly uninspiring. The Compliance Group's July 2007 Benchmark Research Report found that while most organizations are exposed to financial risk from data loss and theft, nine out of 10 are still failing to leverage compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data.

The CIO has a burden of duty to understand the broader ramifications of compliance and the consequences of non-compliance

The Compliance Group's research shows that the two out of every 10 organizations that are lagging have the most to gain from strong compliance efforts, the seven out of 10 deemed "normative organizations" can reduce substantial financial risk by improving their compliance efforts, while the one in 10 organizations categorized as "leading" are well positioned and suffer the fewest business disruptions. In fact compliance leaders suffer no more than two disruptions annually from IT security events, compared to the 17 or more disruptions suffered by compliance laggards. They also, unsurprisingly, suffer the least data loss and theft.

Financial losses will inevitably occur with data loss and theft, with the only question being when and by how much, according to the report. Compliance laggards are likely to make the front page of the paper for a data loss or theft once every three years or sooner, compared to once every 42 years or longer for compliance laggards.

The research found best practices for improved results include:

• Implementing more of the appropriate IT controls

• Reducing control objectives, making it easier to communicate, measure, and report

• Establishing higher standards for performance objectives

• Encouraging a culture of operational excellence in IT

• Monitoring, measuring, and reporting controls against objectives at least once every two weeks

• Allocating more funds to control automation

Benchmark results from the report suggest for most organizations, effectively reducing and sustaining compliance results mean overcoming 70 per cent of deficient controls that are IT security specific. For most organizations, defining, controlling, and governing these IT-related deficiencies means better managing the mix of labour and automation in IT to reduce and sustain results.

"The benchmarks show that organizations spending more on IT security have fewer deficiencies. Moreover, the findings show that organizations spending less on contractors and services and more on equipment and software to implement automated IT-based continuous assessment are faring better," the report says.

The benchmarks show that improving IT compliance depends on three critical factors:

The frequency with which IT compliance is audited and measured; how much time is allocated to IT compliance by the organization, and pending and spending allocation on IT security. Of these, the most important factor is the frequency of monitoring and measurement.