The key benchmark was the number of "significant and material deficiencies" found in a company's most recent information-technology audit. The most common deficiencies concerned configuration and change management, security monitoring, and user and application access controls. Areas covered on the I.T. audits included data security policies and regulations like Sarbanes-Oxley.
Jim Hurley, research director at Symantec, says 11% of the companies surveyed were compliance "leaders," with two or fewer violations, while 20% were "laggards," with more than 15. Most companies, the "norm," fell in the middle.
What distinguished the compliance leaders? The three most critical factors, Hurley says:
1. At least once per month, they monitor security and compliance controls. Leaders did this about every three weeks on average, and in some cases daily; laggards conducted such reviews every 7.8 months. Hurley notes that 60% of the leading organizations have fully automated monitoring processes.
2. They dedicate the equivalent of six days per month of an I.T. staff member's time to compliance. The norm spent five days; laggards, an average of four.
3. They spend about 10% of their I.T. budget on security. The norm was 7.5%, according to Hurley. Note, however, that Symantec was a primary sponsor of this research, and the company clearly has an interest in promoting the idea that spending more on data security products would yield better results.
Overall, says AMR Research analyst John Hagerty, the survey results confirm the assumptions of how to get your shop in compliance: "It's not a surprise that if you stay on top of this, you'll do better on an audit."
Compliance 
