Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.

So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.

Key findings include:

  • Data security is a top priority and commands a sizable chunk of budget. A majority of organizations (91%) cite data security as a critical or high priority and allocate, on average, 16% of security technology budget to this area. Hot focus areas include database vulnerability assessment, monitoring, and auditing, with 24% of firms planning to invest here, and data leak prevention (DLP), with 22% of firms planning investments in this area.
  • Consumerization fuels data security concerns, but protection is lacking. Data loss and protection are top mobile security concerns. Most firms have policies to address consumerization (85% have a smartphone security policy, and 76% have a tablet security policy), but enforcement tools are lacking. Despite high concerns, many firms are either doing nothing for mobile data protection (23%) or only implementing baseline device security policies (38%) like password entry and remote lock and wipe.
  • Privacy responsibilities go beyond the security group. Data security is primarily a security group responsibility. Privacy responsibility cuts across various business units and groups, and privacy officers and third-party privacy support are also called in to help. Privacy professionals surveyed by the IAPP tell us that top drivers for funding privacy include meeting compliance (54%) and reducing risk of data breach notification and publicized data breaches (50%).

Any surprises? Or does this align with your expectations? Does your organization enlist the support of external privacy experts? And how does your organization approach or use benchmarking data? I’d love to hear from you.