"Most people, in most lines of business or business units keep their eye on their own responsibilities and on what they have to do," Ponemon said. "They end up in these silos where the legal team doesn't talk to IT, which doesn't talk to the business units about what to do about compliance or risk assessment. They all have their own policies, but there's a lot of duplication of effort and they don't match up."
The report was sponsored by EMC's security subsidiary RSA, but the data and conclusions seem solid enough.
The analysis process they tout suffers from its own drawbacks, though.
First it's called e-GRC – for Enterprise Governance, Risk Assessment and Compliance – which combines three of the five technology issues that are both critical to the success of IT in a big organization, and guaranteed to put anyone to sleep far too quickly to do anything about them. (The other two sleep-inducing critical issues both involve storage, but so far I haven't been able to stay conscious long enough to figure out which they are.)
The second problem is that it requires corporate managers to not only cooperate with each other, but to spend time and money doing it without being forced by government regulations or an immediate crisis.
"Unfortunately it usually takes a crisis to get all these people talking across organizational barriers, but once they do, they find they eliminate a lot of duplicated effort and they have a much better response time and are more effective than when they operate without a plan," Ponemon said.
Companies that have had to deal with major security crises are usually well prepared for the next one, at least until acquisitions, changes of leadership or short corporate memories makes it seem wasteful or "soft" to spend resources making sure there is a specific group of managers responsible for coordinating data-governance, security and compliance policies companywide.
A process of risk-assessment that required a team at Sony to inform other divisions that it had been breached and how, and requiring other divisions to check for and eliminate similar vulnerabilities in their own sites, would have stopped the chain of Sony disasters after the first one.
"It's still not easy," Ponemon said. "But you've got a much better chance to top the problem early, rather than having it come back time after time."