Skip to content

New Baffle and EMA Research: 93% of Organizations Say Compliance Shifted Their Security Strategies

Compliance Budget Survey

75% of respondents say implementing a significant data privacy program is a competitive differentiator in their space

Santa Clara, Calif.—June 22, 2022—Baffle today released a report titled “Using Compliance Budget to Advance Security Priorities,” which details insights and trends related to compliance, security and privacy. The survey polled more than 200 technology leaders from mid- to large-size organizations across North America, representing more than 10 industry verticals. 

The Baffle-sponsored research, conducted by analyst firm Enterprise Management Associates (EMA), examines the impact of the compliance budget on security strategy and priorities. It describes areas for which companies prioritize information security and compliance, which leaders control information security spending, how compliance has shifted the overall security strategy of the organization, and the solutions and tools on which organizations are focusing their technology spending.

“This study confirmed our long-standing theory that when security and compliance have a unified strategy and vision, every department and employee within the organization benefits, as does the business customer,” said Christopher M. Steffen, CISSP, CISA, managing research director of EMA. Most organizations view compliance and compliance-related activities as “the cost of business,” something they have to do to conduct operations in certain markets. Increasingly, forward-thinking organizations are looking for ways to maximize their competitive advantage in their markets and having a best-in-class data privacy program or compliance program is something that more savvy customers are interested in, especially in organizations with a global reach. Compliance is no longer a “table stakes” proposition: comprehensive compliance programs focused on data security and privacy can be the difference in very tight markets and are often a deciding factor for organizations choosing one vendor over another.” 

The findings cover three critical areas of an organization’s security and compliance posture: information security and IT audit and compliance, data security and data privacy, and security and compliance spending. Here are the top insights from each.

Information Security and IT Audit/Compliance Trends

One key takeaway is that merging security and compliance priorities addresses regulatory control gaps while improving the organization’s security posture. Respondents revealed insights on how they handle compliance, who is responsible for compliance and security responsibilities, and what compliance-related security challenges organizations face. Additional findings: 

  • Companies found the need to shift their information security strategy to address compliance priorities (93%).
  • Information security and IT compliance priorities are generally aligned (89%).
  • Existing security tools have to address data privacy considerations going forward (76%)
  • Managing an organization’s multiple IT environments and the controls that govern those environments is the greatest challenge in the IT audit and compliance space (39%)

Data Security and Data Privacy

Data security and privacy are central to information security and regulatory compliance. According to the study, data privacy regulations, such as the EU’s General Data Protection Regulation or the California Consumer Privacy Act, are primary considerations for business and technology leaders. In the absence of a national privacy referendum, five states have already established individual privacy laws. Other results include:

  • Organizations believe that the implementation of a significant data privacy program is a competitive differentiator (75%)
  • Organizations use or are looking to use a regulatory compliance program as a competitive differentiator (68%)
  • Respondents are looking for tools to address data privacy controls (75%).
  • Companies are altering their organizations’ approaches to information security to address data privacy regulations (59%).
  • Companies take a data classification or security-centric approach to data privacy (54%).
  • Data security and the tools and data encryption is their most significant security challenge (38%).

Security and Compliance Spending

Given the growing concern over maintaining compliance, it is no surprise that the study found that companies are investing significantly in data security and privacy tools and are spending the least on point solutions. Additionally, the chief information officer (CIO) is most likely responsible for the security and IT compliance investments budget. The CISO (for security) and the chief compliance officer (for compliance) significantly influence their respective budgets. Further insights include:

  • Companies are currently or will be making a significant investment in data privacy and data loss prevention (98%).
  • Respondents increased IT, information security, and IT compliance investments over previous years (75%).
  • Most information security budgets range between $50,000 and $5 million in information security (61%) and are approximately the same for IT audit and compliance (58.8%).
  • Future budgets are increasing moderately or slightly for information security and security consulting (74%) and IT audit and compliance (66%).

“Data responsibility is a competitive advantage. As this research with EMA reveals, companies realize that it is critical to align security and compliance resources,” said Ameesh Divatia, co-founder and CEO of Baffle. “It is gratifying to learn that IT practitioners are taking compliance very seriously, and this mindset is shaping their security strategy and investments. The environment is ideal for innovation as these practitioners evaluate tools that improve their security posture to comply with data privacy regulations. And with data privacy regulations moving compliance in lockstep with security, work done now to manage the complexity of compliance will only benefit an organization and its business customers in the long term.”

Visit the company’s blog and download the report on Baffle’s website to read more about the study’s methodology and results.

About Baffle

Baffle protects data in the cloud via a “no-code” and “low code” data security mesh. The solution provides universal data protection to secure data wherever it lives and as it is consumed in distributed data environments. Companies can control who can see what data with this security layer with no performance impact on the user experience. Proven in large-scale environments, only the Baffle Data Protection Service de-identifies sensitive information on the fly as it is processed in the cloud. With no application changes, security teams can move in lockstep with business initiatives to move more data and workload to the cloud faster. Investors include Celesta Venture Capital, National Grid Partners, Lytical Ventures, Nepenthe Capital, True Ventures, Greenspring Associates, Clearvision Ventures, Engineering Capital, Triphammer Venture, ServiceNow Ventures [NYSE: NOW], Thomvest Ventures, and Industry Ventures. Follow us on Twitter and LinkedIn.



Davida Dinerman

Look Left Marketing

[email protected]

Join our newsletter

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.


No application code modification required


Deploy in hours not weeks


One solution for masking, tokenization, and encryption


AES cryptographic protection


No impact to user experience