As Compliance Requirements Mount, Companies Struggle to Bring Data Security and Privacy Practices up to Speed

The compliance landscape is becoming more complex for U.S. companies, especially those conducting business in multiple states and internationally. In 2022 alone, Connecticut and Utah have passed consumer privacy laws, joining California, Virginia and Colorado, whose privacy laws will go into effect next year. Many other states are considering similar privacy laws. When you consider the EU’s GDPR—which many U.S. companies must abide by—and industry privacy regulations, organizations are scrambling to understand how to comply with privacy regulations that may differ and even contradict one another. But they are aware that maintaining strong privacy and compliance strategies are competitive differentiators.  

The increased attention related to compliance is reflected in a recent survey from analyst firm Enterprise Management Associates (EMA) and Baffle, “Using Compliance Budget to Advance Security Priorities.” The report confirms a great deal of what we at Baffle have always believed to be the case: The growing number of data privacy laws are moving compliance to the top of the queue as a security priority. Let’s take a closer look at some key findings. 

Many organizations struggle with data security and privacy

The survey found that 38% of respondents listed data security and privacy—which directly impacts an organization’s ability to maintain compliance—as their most significant security challenge. So it is no surprise that 75% of those surveyed indicated that their organizations are using existing tools or evaluating new ones to address data privacy concerns, and 93% said it was very or moderately important that their security tools can be used for data privacy and other security controls.

The report notes, “Data security/privacy concerns will be a primary motivator for security and compliance spending for the foreseeable future. As the impacts of privacy legislation become clearer (since there are additional rulings and findings based on the regulations), organizations will have a better sense of how and where to invest security and compliance resources to address these concerns.”

However, some organizations are still struggling with data privacy and security because they are not fully aware of who is protecting what. A surprising 7% of respondents indicated that their cloud providers are responsible for security. While most cloud shared responsibility models require the provider to protect the cloud, the data inside the cloud is the organization’s job. 

Organizations are prioritizing several measures to address data privacy, namely data classification and reconciliation, security considerations, regulatory and vendor controls, solutions that focus on data management, and solutions that prevent data from being lost or stolen.

Compliance has become a mainstream security concern

According to the research, 89% of respondents confirm that their organizations’ security and IT compliance priorities are generally aligned. Similarly, 96% indicate that compliance shifted their security strategies..

The report adds further insight: “When security and compliance have a unified strategy and vision, every department and employee within the organization benefits, as does the business customer. It also allows security to focus on real threats – the bad guys trying to steal data and cause harm to the organization – instead of the perceived threats – the compliance team are the bad guys, and they are trying to take over the world. There are not enough resources for this kind of infighting and diversion.”

Most companies are increasing compliance-related investments

From a spending standpoint, the increase in compliance regulations—and the complexity related to adhering to multiple privacy mandates—impacts the direction of security investments. The study points out that nearly 74% of organizations expect to increase annual compliance investments.

The report also lists areas for which companies prioritize budgeting, and those responding to the survey said solutions that address compliance rank high on the list. As to whether their companies are making significant, moderate or minimal investments in various security tools and solutions, respondents indicated they are spending significant resources on data security and data privacy management tools (50.5%) and data protection and data loss prevention solutions (50%).

For overall spending, 99% of companies invest in compliance management solutions. The same percentage of companies purchase data protection solutions that address bringing your own key (BYOK), masking, tokenization and encryption. 

Addressing compliance is good for business

Sixty-seven percent of respondents indicated that their organizations want to use compliance as a market differentiator. And for further context, 75% said that a data privacy program—critical to maintaining compliance—is also a differentiator in their space. Implementing data privacy strategies that address compliance is more than a nice-to-have proposition but, rather, a critical business strategy.

According to EMA, “Increasingly, forward-thinking organizations are looking for ways to maximize their competitive advantage in their markets, and having a best-in-class data privacy program or compliance program is something that more savvy customers are interested in, especially in organizations with a global reach. Compliance is no longer a ‘table stakes’ proposition: Comprehensive compliance programs focused on data security, and privacy can differ in very tight markets and are often a deciding factor for organizations choosing one vendor over another.”

This is a very insightful point, as we have always viewed data security and privacy as non-negotiable aspects of doing business. With more privacy regulations and the complexity of a cloud-reliant business environment, organizations must plan for protection that goes above and beyond current compliance requirements.

Security and compliance teams must work together

While the general awareness of compliance and its importance to business success is heightened, there seems to be a general disconnect between security and compliance teams. On the one hand, 89% of respondents said the priorities of the security team and compliance team were aligned, and 95% indicated that compliance had impacted their security strategies. However, 74% said that security and compliance projects are conducted independently of each other, and nearly 39% indicated that compliance laws like the California Consumer Privacy Act and the GDPR had not impacted their approaches to security.

The security and compliance teams must collaborate for compliance to be a top priority. And organizations must plan their security strategies with compliance regulations in mind. In doing so, organizations can weave compliance into their security DNA instead of it being an add-on.

Compliance is complex, especially for companies that must follow several regulations that vary in comprehensiveness. However, this report confirms that businesses are aware of how important compliance is and are taking strides to address it. And with the right tools and partners, companies can better align the security and compliance teams to benefit themselves and their customers.

To learn more, view the full EMA report here.