"This speaks volumes to the confidence that people have about their overall IT risk posture," said Kapuria. "Part of the problem is that people only do assessments on a bi-annual basis, or they might inventory their assets sporadically; that gap is what often leads to exposure in availability, security, compliance, or performance." All the individual projects involved need to be managed on an ongoing basis, he said.
However, the process remains a moving target. Increased adoption of mobile devices and other distributed enterprise trends continue to boost data and compliance risks, while business practices -- including fast-paced mergers and acquisitions -- introduce greater complexity, Kapuria said.
More than technological efforts, the Symantec report contends that companies may see faster returns in improving their risk status through greater investment in employee risk education and training.
Only 43 percent of respondents rated their training and awareness programs as more than 75 percent effective, showing that companies are well aware of their current shortcomings, Kapuria said. The report shows a decrease of more than 50 percent in companies' confidence about their training programs, compared to the year ago survey.
"The area where most people need to focus on is classifying their data, what it's used for, and what its sensitivity may be," said Kapuria. "Rather than just throwing technology at their problems, companies need to assess, and then apply the appropriate availability, security, and compliance requirements."