More does not always equate to better when it comes to IT security investments, according to a white paper recently published by 451 Research.

After the technology advisory firm interviewed more than 1,100 senior security executives in financial services and other industry verticals from around the globe, 73% of the respondents anticipate increasing their spending on security, and 23% of the respondents expect their investments to be “much higher.”

However, a larger security budget does not mean that organizations will attain their desired results, noted Garrett Bekker, principal analyst, information security practice at 451 Research and the report’s author.

“To the extent that security spending continues to increase each year, a defensible argument could be made that, at worst, much of that money is being wasted, or at best, sub-optimally allocated,” he wrote.

Garrett attributed much of the misalignment to changing nature of enterprise infrastructure. “Simply put, our corporate boundaries become increasingly porous, and our resources are on the move, traditional endpoint and network security approaches are no long sufficient in and of themselves,” he added.

The increasing use of cloud computing and other offerings delivered as services has put more of a focus on identity management, encryption, and digital loss prevention than common endpoint and network security approaches like firewalls and anti-malware applications.

To make matters worse, close to two-thirds of the respondents (63%) stated that they deploy new technologies in advance of having appropriate levels of data security in place.

A large plurality of the executives polled (44%) also stated that compliance was the primary reason why they invest in data security.

And the price of non-compliance with data security regimes, such as New York State Department of Financial Services’ cyber-security requirements that went into effect on March 1 or the EU’s General Data Protection Regulation that is set to go into full effect on May 6, 2018, can be high.

Once GDPR is in full effect, data protection regulators will have the authority to level fines up to 20 million euros or 4% of a firm’s global turnover, its sales net taxes, depending on the infraction.

It’s now more than a slap on the wrist, according to Bekker. “It’s important to recognize that it’s no longer enough to just check off compliance boxes,” he added.