Businesses are still facing challenges in securing their data and applications, and a recent survey from Citrix highlights businesses’ never-ending struggle of effectively securing both data and infrastructure. In fact, Citrix found that it’s not just the security policies that are the problem; it’s the organization’s own solutions and employee devices that further complicate things.

Citrix, along with the Ponemon Institute, reached out to business and IT respondents for their research, finding 52% of business respondents believed their organization does not have the security policies to ensure employees and third parties can only access sensitive business information when permitted.

(Related: Don’t make security anything less than your first task)

Other feedback indicated that nearly 70% of respondents claimed their existing security solutions are outdated and inadequate. As a result, these respondents gave their organizations poor marks on reducing the inherent risk of unmanaged data, reducing the risk of unapproved applications, and having their security technologies protect information assets and infrastructure.

There weren’t a lot of respondents that felt confident that their employee devices are not allowing criminals to access their company network or data, either. According to the research, only 32% of respondents felt confident, and less than half said that their organization has policies in place to ensure both employees and third parties only have the appropriate level of access to business information.

The study addressed security concerns like poor security deployment, where 70% of respondents said their organization has made investments in IT security technology that were not successfully deployed. Respondents also said their organizations are not able to reduce risk of unapproved applications and data.

With these concerns in mind, Stan Black, Chief Security Officer of Citrix, said security today should be about investing in the right security technologies, not about the amount of security investments a company has made. The challenge for organizations is sifting through the many add-on security technologies on the market today, which only add to the complexity, “instead of reducing noise,” he said.

“Businesses looking to get ahead of the threat landscape need to invest in solutions that have security built into them,” said Black. “When security is addressed from the start, we can protect more sensitive business information.”

Businesses should also remove complexity and let employees work “when and how they want to work,” said Black. Companies can use virtualization, cloud and secure networking solutions to make sure employees don’t need to go around corporate data policies.

While there is no silver bullet to fixing all of the security challenges IT teams face today, Black has some suggestions. Training is so important when it comes to security, he said, because “the landscape is so dynamic, there will never be a one-and-done training.”

Companies can consider creating internal training systems that are reward-based, interactive, relevant and measurable, said Black.

“The more relevant the training is to a person’s job function, the more they’re likely to take the information to heart,” he said. “By measuring how many employees have taken trainings and succeeded with them, the better businesses will be able to measure their risk.”