Regulatory compliance and data security are important objectives for IT managers. Building on the resource-based view, this study examines the impact of IT security resources, functional capabilities, and managerial capabilities on regulatory compliance and data security. Using binomial and multinomial logit models, we analyze data from 250 healthcare organizations. The results show that IT security resources are positively associated with compliance and data security. Within functional capabilities, prevention capabilities improve both compliance and data security, and complement IT security resources. Functional audit capabilities are also associated with improved compliance but result in increased breaches, likely because such auditing helps organizations find, disclose and fix breach-related problems. Managerial capabilities (i.e., top management support, expertise, and data coordination) influence compliance more than data security. Our findings provide policy insight on effective security programs that harness IT resources, functional capabilities, and managerial capabilities. © 2012 IEEE.