The biggest challenge for security teams is not about meeting compliance demands, and preventing breaches, but its managing complexity, risk management and handling security challenges says the latest finding from InformationWeek 2012 Strategic Security Survey.

InformationWeek, the peer-based IT research and analysis provider, 2012 Strategic Security Survey: Pick the Right Battles report is the result of survey conducted with more than 900 business technologies professional with 100 or more employees.

According to the report, managing the complexity of security is one of the biggest challenges for enterprise. About 52 percent respondents say complexity of security including identity and password management is their major challenge, 39 percent say enforcing security policies followed by preventing data breaches from outside attackers (34 percent) are the next big security headache.

“Sadly, though, most programs don’t include good metrics programs to gauge their effectiveness, and most focus on meeting the minimum requirements, rather than taking a best practices-based approach that is customized to the environment at hand,” said Michael A. Davis, CEO of Savid Technologies, a Chicago-based technology and security consulting firm, who authored the report on the survey findings. “These adaptations help meet compliance quickly, but aren’t always customized to the environment and don’t accurately reflect real life.”

On the mobile front, 25 percent say connecting devices including smartphones and tablets represent a significant threat to security. The next big concerns in mobile devices are loss or theft, which potential could lead to loss of proprietary data for companies.

“For example, mobile security is everywhere, and it seems every company is looking at the problem and investing time and money to solve it,” Davis explains. “Yet mobile threats are miniscule compared to real threats that have had a consistent impact on organizations, such as phishing, SQL injection and malware.”

When it comes to cloud computing risks, the survey found that 29 percent of participants conduct their own risk assessment audits. Fifteen percent participants are yet to perform risk assessment audits, compared to 28 percent last year. Moreover, 14 percent companies trust vendor provided self-audit reports such as Statement on Standards for Attestation Engagements No. 16, or SSAE16.

“We don’t recommend you blindly accept the reports vendors provide,” Davis explains. “One reason is that each SSAE16 attestation contains different sets of scope and system descriptions, so one provider’s SSAE16 may be dramatically different from another’s.”

On bring-your-own-device (BYOD) trend, the report says 44 percent respondents said mobile devices represent a minor threat to them, compared to 25 percent who said mobile devices are a major threat.

“Respondents who perceive mobile devices as a security threat say the loss of a device is the most significant security concern with mobile devices, and we agree,” writes Davis. “These devices are easy to lose and easy to steal, so remediating the effects of a loss or theft should be the top priority for security teams.”

Companies have started implementing mobile device management (MDM) to set and enforce security policies, the report finds. About 31 percent respondents have applied MDM measures while another 39 percent are evaluating the practice.

“When it comes to security and risk management, it’s tempting to try to address everything, but a more effective approach is to focus on the most likely threats,” says Lorna Garey, content director of InformationWeek Reports. “Implementing better access control, vetting cloud providers, safeguarding mobile devices, educating users and building more secure software should be on every company’s security to-do list.”

Many industries always set high standard when it comes to data retention and regulatory compliance, which make them reluctant to move to cloud services due to security and risk factors. But measures like data verification functionality, information management in the cloud, deduplication and compression and secures backup can make a safe bet for cloud service providers to look to the companies built for the cloud for help.