The survey of 353 IT decision makers, consultants and security analysts found that while companies don't associate security with compliance, often times CISOs and IT directors must justify anThe greatest of these challenges, for CIOs and their teams, is to keep their systems compliant.
Risk and Compliance Outlook 2011 report,
The survey, "Risk and Compliance Outlook 2011," was released Wednesday. It was conducted by Evalueserve in December and commissioned by McAfee Inc.
The survey asked respondents to rank technology areas they find most challenging to meet compliance mandates. Respondents said mandates protecting databases were the most challenging. Nearly all organizations surveyed (93%) indicated they had already or were expecting to deploy database activity monitoring tools. Network mandates were ranked the second most challenging, followed by application security.
"The greatest of these challenges, for CIOs and their teams, is to keep their systems compliant," according to the report. "The second biggest challenge is to completely automate IT controls, and understanding complex regulations is the third biggest hurdle"
Survey respondents also indicated that change management was a major problem in trying to maintain compliance. Organizations estimated that 14% of company downtime in a year is the result of unauthorized changes. To deal with change management issues, 75% of those surveyed said they deploy configuration assessment tools followed by integrity monitoring (68%) and database activity monitoring.
Change management troubles also fuel issues when auditors hit the trail, the survey found. Regulatory compliance audits often get IT teams in "firefighting" mode, an issue that can take away from strategic projects and business goals. Only 25% of the companies surveyed claimed they don't worry about audits.
"Significantly, while around six of ten companies track the type of change that took place and the time of change in their audit trails, less than half of them also track the individual who made the change as well as the location of the change," the survey said. "The failure to track individuals leaves a significant gap in accountability, either for failure to perform their duties properly or, in the worst case, making it more difficult to track down a malicious insider."
The McAfee survey pointed out that automated risk and compliance tools and standardized security suites help lessen the burden of compliance assessments.