The survey of 517 U.S. and multinational IT security practitioners who are involved in their company's efforts to comply with the Payment Card Industry (PCI) Data Security Standard (DSS), found that 71 percent of respondents believe their organization does not view data security as a strategic initiative across the enterprise.
Larry Ponemon, chairman and founder of the Ponemon Institute said in a recent podcast about the survey that he finds that statistic “very disturbing,” because failing to treat data protection as a strategic business initiative could ultimately lead to loss of customer confidence and trust.In addition, 60 percent of survey respondents said their organization does not have enough resources to become PCI compliant. And 79 percent of respondents said their organization has experienced a data breach.
Brian Contos, chief security strategist at Imperva, told SCMagazineUS.com on Tuesday that lack of budget is tied to lack of executive support for data security efforts.
“The companies that look at compliance strategically and get executive involvement tend to have more robust security programs,” Contos said.
But 55 percent said that they do not believe their CEO strongly supports PCI efforts. Also, just 27 percent of survey respondents said they feel PCI compliance contributes to an improved security posture in their organization – a finding Ponemon viewed somewhat positively.
“I looked at the number [27 percent] and said ‘…that seems pretty low,' Larry Ponemon, chairman and founder of the Ponemon Institute, said in a recent podcast about the survey. “But then you think about it, a lot of organizations see PCI as a compliance thing only. So if you look at all of the organizations that potentially have to comply or should be complying with PCI, to say that 30 percent agree that their security posture improves, suggests that PCI is pretty successful.”
Seventy-five percent of respondents said their organization has achieved some level of PCI DSS compliance, the survey found. Just 22 percent said that they have achieved full compliance for all enterprise applications and databases, 28 percent were compliant for “most” and 25 were compliant for “some.”
For many organizations, though, data security efforts do not extend beyond the protection of credit card information. Fifty-five percent of respondents said their organization doesn't secure Social Security numbers or other potentially sensitive information.