Security and compliance spending is often viewed as a necessary evil by CFOs, whose endless quest for cost-cutting opportunities is the bane of every CIO. Even the threat of an expanded risk profile is sometimes not enough to loosen the purse strings.

But what if some spending now could not only result in better security and compliance, but ultimately higher profits, lower expenses, and improved customer satisfaction and retention? That would paste a smile on the face of the most frugal of CFOs, not to mention making him or her look like a hero to the Big Boss.

According to a report from the IT Policy Compliance Group (IT PCG), those are the results to expect from moving up the IT governance, risk and compliance (IT GRC) maturity scale.

The five-category maturity scale (or six, if you count Level 0, non-existent procedures and processes) runs the gamut from basic ad-hoc processes through the completely optimized, money-saving top level, and maps to the standard capability maturity model (CMM).

Presented at the 2008 Symantec Vision conference in Las Vegas (Symantec offers a compliance process automation suite that assists in moving up the maturity scale), the report discusses findings from several waves of benchmarking surveys conducted over the past two years; the most recent looked at results from 558 organizations over the period of December 2007 to March 2008.

It tells us that companies at the top of the maturity scale enjoy 17 percent higher revenues, 14 percent higher profits, 17 percent higher customer retention levels and spend 50 percent less annually on regulatory compliance than organizations at the bottom of the scale. Their financial risk from customer data loss or theft is a mere 0.4 percent of revenue, while those at the bottom of the scale face the risk of a revenue hit of 9.6 percent.

The elite, most mature group chronicled in the report was a mere 12 percent of the sample, while 20 percent were at the bottom of the heap, and the remaining 68 percent occupied the middle three maturity categories.

No one industry leads in the maturity derby. In fact, according to report author Jim Hurley, managing director of IT PCG, some results were counter-intuitive. You would expect, for example, that highly-regulated industries would rank higher in process maturity than the less regulated. That's not always true. Nor do large corporations necessarily fare better than smaller organizations. "The secret sauce was procedures and practices," he says.