|
Network and security infrastructures have greatly increased both the volume and the variety of deployed systems – systems which require updates, patches, and configuration changes, and which generate logs of security information and events. At the same time, industry and government regulations have compelled organizations of all types and sizes to manage, audit, and report on security-related systems and information on a more consistent and repeatable basis for purposes of demonstrating compliance. Today, tactical deployment of point solutions for addressing compliance on an as-needed basis is still the most prevalent approach for organizations across the board. Best-in-Class organizations, however, have begun to view compliance not as an event, but as a strategic, sustainable program – which in addition to helping them to achieve and maintain compliance requirements, also helps them to:
- Lower operational costs – 44% of Best-in-Class organizations reduced the cost of addressing non-compliance incidents over the last year; 26% reduced the cost of addressing security-related incidents. Both of these measures are up to 15-times higher than those for all respondents.
- Support higher scale – 86% of Best-in-Class organizations reported an increase in the number of systems requiring updates, patches, and configuration changes actively under management over the past year; 71% reported an increase in the number of systems generating logs actively under management. Both of these measures are more than 40% higher than those for all respondents.
- Reduce security risk – 48% of Best-in-Class organizations reduced the number of actual security incidents over the past year, compared to an increase by a net 7% of all respondents.
- Maintain consistent security policies – 85% of Best-in-Class organizations have established consistent policies for security and compliance, compared to only 68% of all respondents.
"Compliance," taken in all of its dimensions – including compliance with internal policies, government regulations, industry regulations, and industry standards and best practices – is understandably the leading driver of current investments in security and compliance initiatives. Another leading driver – protect the organization and its brand – is indicative of the attention organizations are now paying to security and compliance in the wake of frequent public disclosures of security breaches involving consumer data (Figure 1).
Aberdeen's Maturity Class Framework
To distinguish Best-in-Class companies from Industry Average and Laggard organizations, Aberdeen used the following performance criteria:
- Decrease in the number of non-compliance incidents, number of security-related incidents, and number of false positives, compared to a year ago
- Decrease in the time required to complete a compliance-related audit, compared to a year ago
- Increase in the number of systems requiring updates, patches, and configuration changes actively being managed, and increase in number of systems generating logs actively being managed, compared to a year ago
Companies with top performance based on these criteria earned Best-in- Class status, as described in Table l. (For additional details on the Aberdeen Maturity Class Framework, see Table 5 in Appendix A.)
The Best-in-Class PACE Framework
Achieving superior performance in developing and sustaining enterprise security and compliance initiatives requires a combination of strategic actions, organizational capabilities, and enabling technologies – referred to by Aberdeen as the Best-in-Class PACE Framework (for a description of the Aberdeen PACE Framework, see Table 4 in Appendix A.) The characteristics exhibited by Best-in-Class organizations in this survey are summarized in Table 2.
Best-in-Class Strategies
As shown in Figure 2, tactical deployment of point solutions for addressing compliance where specific needs exist is still the most prevalent approach for companies falling within the Industry Average maturity class (46%). For the majority of Laggards (36%), deployments of solutions for addressing compliance are limited and compliance is currently not a top priority. In contrast, Best-in-Class organizations (47%) lead the way in taking a more strategic, enterprise-wide approach to addressing compliance as part of an integrated security and compliance strategy.
Compared to all respondents, Best-in-Class organizations are 1.7-times less likely to support ongoing compliance requirements through management, auditing, and reporting on a reactive, as-needed basis. On the contrary, the Best-in-Class are 1.4-times more likely to develop a sustainable, continuous compliance infrastructure through automation, and by streamlining their management, audit and reporting processes (Figure 3). As noted, Best-in-Class organizations employ these strategies not only to achieve and sustain compliance requirements, but also to lower operational costs, support higher scale, reduce security risk, and maintain consistent security and compliance policies.
|
