Compliance: 3 Habits of Successful Companies

There’s no mysterious formula to passing an I.T. audit: It takes focus, dedication and money, according to recent survey of 671 companies.

Companies that have the least compliance-related violations spend more time and dollars on compliance and security tasks than their peers, according to research sponsored by Symantec, a security and storage software vendor, the Computer Security Institute and The Institute of Internal Auditors. The group conducted an online survey of 671 organizations between December 2005 and March 2006 about their compliance activities.

The key benchmark was the number of “significant and material deficiencies” found in a company’s most recent information-technology audit. The most common deficiencies concerned configuration and change management, security monitoring, and user and application access controls. Areas covered on the I.T. audits included data security policies and regulations like Sarbanes-Oxley.

Jim Hurley, research director at Symantec, says 11% of the companies surveyed were compliance “leaders,” with two or fewer violations, while 20% were “laggards,” with more than 15. Most companies, the “norm,” fell in the middle.

What distinguished the compliance leaders? The three most critical factors, Hurley says:

1. At least once per month, they monitor security and compliance controls. Leaders did this about every three weeks on average, and in some cases daily; laggards conducted such reviews every 7.8 months. Hurley notes that 60% of the leading organizations have fully automated monitoring processes.

2. They dedicate the equivalent of six days per month of an I.T. staff member’s time to compliance. The norm spent five days; laggards, an average of four.

3. They spend about 10% of their I.T. budget on security. The norm was 7.5%, according to Hurley. Note, however, that Symantec was a primary sponsor of this research, and the company clearly has an interest in promoting the idea that spending more on data security products would yield better results.

Overall, says AMR Research analyst John Hagerty, the survey results confirm the assumptions of how to get your shop in compliance: “It’s not a surprise that if you stay on top of this, you’ll do better on an audit.”