One of most striking findings from the research is the correlation between the loss of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organizations with the least loss of sensitive data are the exact same organizations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organizations with the most loss of sensitive data are the same organizations with the largest number of regulatory compliance deficiencies that must be corrected to pass audit.

Figure 1: Firms with the most data loss and theft

By analyzing the firms with the least amount of sensitive data loss (leaders) and those that experience the most amount of data loss (laggards), the research reveals several steps that can help improve data protection including defining fewer control objectives (expressions of policy), pursuing more frequent assessments and leveraging IT change management to prevent unauthorized use or change.

Best Practices from Sensitive Data Protection Leaders

Organizations with the least amount of data loss are the firms with the best regulatory compliance audit results. These firms demonstrate a core set of competencies that not only minimize data loss and improve compliance, but minimize the financial impact of data breaches (see previous report “Why Compliance Pays Reputations and Revenues at Risk”) and enable sustained competitive advantage. The core competencies include:

Organizational structure and strategy

• Implement a world-class compliance program
• Document and maintain policies, standards and procedures
• Reorganize internal controls, IT security and risk management functions to leverage customer intimacy and operational excellence

Customer intimacy

• Define the roles and responsibilities of policy owners
• Identify and manage business and financial risks
• Deliver employee training and manage exceptions to policy

Operational excellence

• Expand the scope of internal audit to most business functions
• Make control objectives risk-relevant
• Reduce the number of control objectives
• Implement controls that are measured
• Conduct self-assessments of procedural controls
• Increase the frequency of technical controls assessment
• Implement a complete IT change management program
• Use IT change management to prevent unauthorized use or change