Security study finds ‘depressing’ gap
between knowledge and action

IT professionals admit to understanding hidden data risks but are not investing in the automated tools to address them.

“People know the problem, are aware that there’s a cure out there, but they’re not embracing it because it’s too hard or expensive. That’s not a good prescription for the health of the security organization.”

—Dr. Larry Ponemon, Ponemon Institute

IT and information security practitioners worry because they don’t know where their sensitive and confidential data is or, more importantly, the risk associated with that data. According to “The State of Data Centric Security a recent study conducted by the Ponemon Institute, they are aware of the security practices and tools that can address this gap, but they are only just beginning to deploy them effectively—if at all. Security expert and founder and chairman of the institute, Dr. Larry Ponemon, discussed the Informatica-sponsored study’s unexpected results. 

What was the hypothesis at the onset of the research, and what was the biggest surprise?

Ponemon: The purpose was to determine the readiness of companies in all global regions for protecting structured and unstructured data assets. Historically, the focus has been on securing the network or physical assets, and organizations have mastered that kind of infrastructure protection. But they are still novices on how to strategize around data-centric security issues.

The biggest surprise was the magnitude of the gap between the number of respondents recognizing the need for better, automated solutions for securing data assets to the reality that so few companies are deploying this technology effectively.

The majority of respondents (80 percent) recognize that not knowing the location of sensitive data poses a threat. But only slightly more than half are prioritizing security initiatives. How do you explain the gap?

Ponemon: It is surprising that people understand their organizations have a real problem yet they recognize that they’re not doing enough and that they don’t have the right resources in place. My guess is the typical security team has limited resources and is fully occupied with putting out fires. Also, we find a lot of the problems around data-centric security are known to people in the trenches like the security analysts and technicians, but are not necessarily as familiar to senior-level management like CISOs [chief information security officers].

The study revealed that more than half of respondents have a positive view of automated data-centric security technologies’ ability to mitigate risk. Yet only 40 percent are deploying such solutions. Why is that the case?

Ponemon: This negative finding tells me that organizations are not prioritizing their security investment in automated tools to effectively deploy data-centric security. It’s a depressing finding. People know the problem, they are aware that there’s a cure out there, but they’re not embracing it because it’s too hard or expensive. That’s not a good prescription for the health of the security organization.

It comes down to two things—they just don’t have the right budget in place to procure the tools they need, and there’s an inability for organizations to prioritize security risks. One reason might be that the folks responsible for security are not particularly skilled at selling C-level executives on the need to allocate more budget for security. They don’t talk to the CFO, or they don’t know how to talk ROI [return on investment]. The reality is, without the right budget and prioritization, they might be able to see the problem, but they are not necessarily going to mitigate the risks.

For more insights into the security challenges organizations are facing, read the “State of Data Centric Security” report.

Related content



Humana relies on Informatica Data Integration hub to personalize member plans and programs for increased customer engagement.


Redouble your security efforts by focusing on the source—the data

Data is the lifeblood  of your organization. Don’t put it at risk by concentrating on securing only the perimeter of your IT infrastructure.


Staying agile in the cloud

What does your application methodology and infrastructure have to do with cloud application success? Everything, says one expert.


Quiz: How secure is your corporate application data?

Think your application data is secure? Find out if commonplace practices have left your corporate data more vulnerable than you think.