Tripwire and Ponemon Institute Reveal Economic Impact of Non-Compliance Exceeds Spend on Enterprise Compliance Initiatives

Portland, OR - Jan 31, 2011 -  Tripwire, a leading global provider of IT security and compliance automation solutions, and the Ponemon Institute today announced the results of the first benchmark study to estimate the costs associated with an organization's compliance efforts.

 

In-depth conversations with 160 business leaders spanning 46 multinational companies in multiple verticals revealed that dedicated investments in compliance activities – to meet common regulations such as PCI, Sarbanes-Oxley and HIPAA – are not only a critical component of a comprehensive enterprise security strategy, but can also offer return on investment over time. The average cost of compliance was found to be more than $3.5 million. However, the cost of non-compliance comes in significantly higher at an estimated $9.4 million, 2.65 times higher than compliance costs.

Data protection and enforcement activities ranked among the most expensive compliance activities, and business disruption and loss of productivity were found to be the most significant consequences for companies that did not achieve or maintain compliance. When addressing external compliance, PCI DSS, state privacy and data protection laws, the European Union Privacy Directive and Sarbanes-Oxley were named as the main drivers for investment in compliance, and also among the most difficult requirements to comply with.

"Businesses are aware that compliance efforts often require a significant investment, but our report supports the value of making that investment versus remaining non-compliant with data protection regulations," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "It is our hope that, by assigning a dollar value to the risk associated with non-compliance, we will help IT security and compliance professionals make a more compelling case for bringing their organizations in line with best practices for data protection.  Companies that invest in compliance activities such as frequent audits, enabling technologies, staff training and operational processes will find the most success in reducing risk and realize the ROI associated with preventing or reducing non-compliance costs."

Other key findings within the cost of compliance study include:

  • 28 percent of the surveyed companies said they do not conduct internal compliance audits, and only 11 percent responded that they conduct more than five internal audits each year. Organizations that conduct 3-5 internal compliance audits each year have the lowest per capita compliance cost (average $154). The highest compliance cost (average $341) was found among organizations that do not conduct any internal compliance audits.
  • In terms of allocating budget to managing the cost of compliance, the areas of considerable spend include complying with laws and regulations ($1,588,900), addressing internal policies and procedures ($1,190,005) and funding contractual agreements with partners, vendors and data protection authorities ($564,230)
  • Total cost of compliance varies greatly among industry segments, with a range of $6.8 million for education and research to more than $24 million for the energy sector. The cost of compliance versus non-compliance cost also varies by industry, with energy showing the smallest difference at ($2 million) and  technology showing the largest ($9.4 million).
  • The percentage gap between compliance and non-compliance is most evident in the technology  (79 percent), retail (76 percent) and healthcare (72 percent) industries; the smallest gaps were observed in financial services (25 percent), transportation (22 percent) and energy (9 percent).
  • Using the Ponemon Institute's security effectiveness score (SES) to measure organizations' security posture, it was determined that those with a higher score – or more favorable security posture – experience a lower cost of non-compliance. While security effectiveness is unrelated to compliance cost, a higher percentage for compliance spending relative to the overall IT budget indicates that investment in compliance activities reduces the negative consequences and costs associated with non-compliance.

Multinational organizations—regardless of industry—must ensure they consistently meet compliance requirements outlined by privacy and data protection laws, regulations and policies. To do so, these organizations must employ a combination of compliance activities as they relate to process, people and technology solutions to limit risk, as well as budget dedicated to funding legal and non-legal penalties for non-compliance. By actively investing resources in compliance activities, businesses can avoid falling victim to consequences such as cyber fraud, business disruption, and data and revenue loss.

"Organizations today are confronted by a growing number of compliance challenges, and it can be extremely difficult from a resource perspective to address these concurrently," said Rekha Shenoy, vice president of marketing, Tripwire. "However, businesses that invest in continuous monitoring and conduct frequent audits can drastically reduce the business and financial consequences associated with non-compliance – as well as better serve their customers and partners. Incorporating continuous monitoring solutions such as the Tripwire® VIA™ suite can empower companies with a proactive approach to IT security and compliance, providing visibility into critical infrastructure and offering a first line of defense to safeguard sensitive data."

To access the complete Ponemon Institute study along with related multimedia content, please visit http://www.tripwire.com/ponemon-cost-of-compliance/ or follow the conversation on Twitter via the hashtag #compliancecost.

About Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.