The True Cost of Compliance report finds that secure organizations have lower non-compliance costs. To measure security, the Ponemon Institute has developed a security effectiveness score. This methodology was developed over the last five years and used in over 40 studies by the Ponemon Institute. This index takes into account 25 best practices that help organizations improve their security posture. Here’s the list of the those best practices:
The True Cost of Compliance report shows that the higher the security effectiveness, the lower the cost of non-compliance. What you see on the graph below is that the stronger the security effectiveness (+2 on the chart), the lower the cost of non-compliance. The weaker the security effectiveness (-2 on the chart), the more organizations incur in non-compliance costs. What this means is that improving security does lower the consequential costs of non-compliance. To understand the difference between compliance and non-compliance cost you can read Part I of this blog series.
We also did the same type of analysis on the compliance costs, but the results didn’t vary much — not much correlation with compliance to security effectiveness. However, it’s all about how compliance investments are allocated. You can utilize this information to benchmark yourself to other organizations and find out how much non-compliance is costing you, and how much security is helping you reduce the risk to your organization.
The report also identifies the top security effectiveness attributes with the highest correlation to non-compliance cost. Basically, the top attributes that organizations should demonstrate in order to have a strong security culture are:
Next week, I’ll close this blog series with a post about the per capita cost of compliance.