The risks and threats enterprises face are growing more sophisticated by the day.

There's a greater number of regulations and breach notification laws in response to those threats.

With that increased risk environment, one would hope enterprises are becoming more strategic in how they deal with the challenges. But that's sadly not the case, according to this year's annual Global Information Security Survey, conducted by CSO and CIO magazines in partnership with PricewaterhouseCoopers. More than 9,600 business and technology executives from around the world took the survey, and 43 percent of them believe their organizations are IT security leaders.

According to the survey, only 11 percent consider increasing the focus on data protection a "Top Priority." The same, or lower number of respondents prioritized governance and compliance (10 percent) and security investments based on risk (8 percent).

The same respondents, according to the survey, are increasing their investments in defensive technologies like firewalls, intrusion detection, anti-malware and a host of other technologies.

In a nutshell, the enterprises surveyed are investing in security tools and products -- but they're not prioritizing these investments or investing much in the internal processes to make certain they work.

"We find exactly that to be the case very often," says Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies. "Enterprises can easily justify buying hardware and software. When you take a look at everything, they have all the right technologies, all those things that Gartner would say is that upper right-hand quadrant. Yet, in many cases, they've actually put weak security controls in place."

"There are two ways to look at that data," says Daniel Kennedy, research director for information security and networking at the research firm TheInfoPro. "You can be glad they're confident about their security posture, they must have some reason behind that. I do wonder however, if there is something along the lines of the Dunning-Krueger bias, in which unskilled people make poor decisions but don't realize their own incompetence.

Ultimately, says Higgins, organizations investing in technology without putting in place the people and the processes necessary to make it run right may be placing themselves at greater risk.

"They have all of these tools, but the question is, have they mapped their deployments to the threats in their environment? Have they designed and architected their infrastructure such that they do have the right controls in place to protect against threats?" asks Higgins. "They now have a false sense of security, and the risk is bigger because they have this sense that they are in the right spot, because they bought all the right technology."

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.

Read more about data protection in CSOonline's Data Protection section.