Compliance: A Cost or Savings?
Do the costs of compliance with regulations outweigh those of non-compliance, or vice versa?
Compliance requirements regulations have been part of the IT environment for years. What has made compliance an important subject as of late is the impending implementation of the General Data Protection Regulations (GDPR) from the European Union, which will take effect in May of this year.
The GDPR means that U.S.-based companies that do business in Europe or contain information about European citizens will be subject to the regulations including PCI, HIPAA, Sarbanes-Oxley Act and now GDPR. (See my blogs, GDPR Influencing U.S. and GDPR: From the EU to US.)
Although most organizations protect their information using security tools and techniques, compliance regulations do not tell you how to protect the data. They just define what needs to be protected and how that data protection is audited.
Compliance means that an organization needs to confirm that they have met the requirements of accepted practices, legislation, rules and regulations, and specific standards. Compliance may also be part of a contract. Compliance is the act of adhering to (and demonstrating that adherence) federal, state, and international laws and regulations -- in addition to enterprise policies and procedures.
Adherence to compliance can limit risk. Risk management is composed of the activities that direct and control an enterprise so it can produce opportunities while limiting negative events. Compliance is a demonstration with a reporting function. The reporting covers how a security program satisfies the specific security standards as laid out by regulatory organizations.
Security vs. Compliance
Some organizations think that security and compliance are equal. They can be consumed by the complicated regulations and reduce their focus on security. They play different roles. It does not matter whether the data is on premises or in the cloud, the regulations are the same. The responsible parties may be different.
Cyber security protects data from threats by controlling how that information is used, consumed, and delivered. Compliance is the reporting function of how the security program satisfies specific regulatory security standards. Being merely compliant does not ensure security. In other words, don't use compliance requirements as a blueprint for creating a security program. Security produces the conditions for compliance to be successful.
The Ponemon Institute issued a report titled "The True Cost of Compliance With Data Protection Regulations." The graphics in this blog are from that report.
The report reviewed compliance and non-compliance costs comparing 2011 to 2017. As shown in the graph below, the non-compliance costs are significantly higher than the cost of compliance. While the cost for both non-compliance and compliance have increased from 2011 to 2017, compliance costs have risen by a much smaller margin.
Budgeting for Compliance
The cost of compliance is driven more by laws and regulations and not necessarily by the enterprise's need to improve security. There are federal regulations as well as state regulations that specify compliance. All these regulations and laws require constant monitoring and audits of an organization's compliance. The cost of compliance can be a budget burden that not only includes dedicated professional staff and technologies that reduce risk, but also the allocation of legal and non-legal staff plus the penalties for non-compliance.
Typical compliance efforts include costs that also relate to security:
- Information protection and activities that include enforcing those protection regimes
- Planning for incident response and the teams that support the response
- Auditing and assessing compliance activities
- The production of policies that cover compliance
- Communicating compliance requirements and regulations to the enterprise's internal operations as well as training those individuals
- Certification of staff members
- Fixing and redressing activities that deal with compliance limitations or gaps
- Investing in technologies that protect assets
The Ponemon report also noted that compliance costs increase by the head count of the number of employees and contractors.
Compliance Costs by Business Segment
The Ponemon report determined that financial services and industrial companies incurred the highest costs for compliance. Although the survey had a small sample size, it shows that there is a wide range of costs across multiple business segments. If you inspect the chart below, you will notice that compliance costs have increased considerably across all segments from 2011 to 2017.
The Costs of Non-Compliance
The penalties incurred for non-compliance, according to the report, are 2.71 times that the cost of compliance. These include:
- Disruption of business activities
- Reduction of productivity
- Loss of revenue
- Fines, penalties, and settlement costs when compliance is not met
- Customer/user marketing costs
- Loss of reputation
- Compliance consultant fees
- Performing a re-audit
Many enterprises perform an audit once a year. But the Ponemon report pointed out that the more audits that occur, which increases the auditing cost, actually is a beneficial value in that it reduces the total cost of compliance. It is recommended that two audits per year be performed. The audits have another benefit in that they reaffirm the enterprise's goals of compliance and remind everyone that there should not be any complacency when it comes to compliance and security.
Learn more about Security/Compliance at Enterprise Connect 2018, March 12 to 15, in Orlando, Fla. Register now using the code NOJITTER to save an additional $200 off the Advanced Rate Pricing or get a free Expo Plus pass.