The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what’s working and what’s not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec. In the past year, about 85 percent of the organizations have been through one regulatory audit; 60 percent have been through two or more; and 80 percent, three or more. Spending on IT security wasn’t drastically different between organizations with the best audit results and those with the worst. The successful ones spent over 10 percent on security, and those with failures, six percent or less, Hurley says.