A new study by the Ponemon Institute has found that companies that invest more in compliance initiatives typically have lower expenses when something goes awry.
In theory, if you are better at complying with these rules and regulations you should achieve a higher level of efficiency and effectiveness in your security and privacy programs.
chairman and founderThe Ponemon Institute
The Ponemon Institute's True Cost of Compliance study, commissioned by security vendor, Tripwire Inc., surveyed 160 business leaders at 46 multinational organizations that must comply with PCI DSS, Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) and other common regulations. The study found the cost of compliance was on average more than $3.5 million, significantly less than the $9.4 million in estimated costs for failing to comply with regulations.
"In theory, if you are better at complying with these rules and regulations you should achieve a higher level of efficiency and effectiveness in your security and privacy programs," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The end result is that you are going to have a lower cost of non-compliance."
Cash-strapped companies that ignore regulations are often sacked with higher costs associated with business disruption and loss of productivity, Ponemon said. Meanwhile, firms that have ongoing compliance initiatives spend a significant amount of money on data protection and enforcement activities. Those firms also typically have fewer records breached when they have a data breach, he said.
"Most organizations are probably underfunding their compliance activities and they're not measuring their non-compliance costs effectively," Ponemon said. "They don't understand that if they did a better job on compliance, it can lead to a lower total cost of compliance."
Ponemon admits that not every dollar spent on compliance initiatives is going to improve a company's security infrastructure, but there is a systemic relationship between a good security posture and the spending on compliance costs, he said. Ponemon said the study is a precursor to a new framework being developed that aims to help organizations assess compliance costs.
Ponemon urges companies to start conducting internal compliance audits. While they are expensive, he said they offer the most comprehensive way to maintain compliance and in the long run, reduce the cost of non-compliance. Only 28% of the surveyed companies said they do not conduct internal compliance audits. A figure that Ponemon said he would like to see increase. Organizations that conduct 3-5 internal compliance audits each year have the lowest per capita compliance cost.
"We find that many organizations do the minimal amount of internal audits," Ponemon said. "I think audits are very useful tools and they help organizations to prioritize."
Compliance costs are defined by the study as any activity organizations use to meet specific rules, regulations, policy and contracts that are intended to protect information assets. Non-compliance costs are the costs that result when an organization fails to comply with rules, regulations policies, contacts and other legal obligations. Ponemon estimated the costs by applying its security effectiveness score (SES) to measure organizations' security posture. Organizations with a higher score experienced a lower cost of non-compliance. He said security and compliance is unrelated, but a higher investment in compliance activities reduces the negative consequences and costs associated with non-compliance.
In addition, those surveyed found PCI DSS and state privacy laws to be the most difficult set of rules to comply with. On average, companies budgeted about $1.5 million to comply with laws and regulations. Additional costs include nearly $1.2 million on internal policies and $560,000 to fund contractual agreements with partners and vendors.