A few weeks ago, we released a third-party independent report conducted by the Ponemon Institute on The True Cost of Compliance. Although there are a lot of reports that talk about data breaches and cyber crime, this is the first one that focuses on the cost of compliance and non-compliance.
We decided to embark on this project not only to fill that void, but also to uncover the economic impact that compliance has on the business. I have to admit, that unless you’re a statistician, the True Cost of Compliance Report may be difficult to comprehend, so I’ve decided to create a series of blog posts that clarify the key findings of this report in terms that are easily understandable. In this blog post I would like to explore the differences between compliance and non-compliance costs.
Succinctly put, compliance costs are proactive spending, while non-compliance costs are reactive spending. In this graph we can see that non-compliance costs are much more expensive than compliance costs — 2.65 times more expensive to be precise. However, this does not mean that an organization that spends on compliance will not experience non-compliance costs. What it tells us is that the total cost of compliance is very high because you’re balancing the preventative costs of compliance with the costs of failure, i.e. the reactive costs of non-compliance.
In fact, all 46 organizations that were part of this benchmark study experience both compliance and non-compliance costs, and all had data breaches (some small, some larger). For example, an organization could be perfect on its compliance efforts, but still have data losses, thus incurring expenses associated with notifying affected individuals, getting back to a compliant state, etc.
However, there is a big difference in how organizations spend their compliance dollars. If organizations spend more on compliance, they’ll get more than a dollar’s value in return in the form of reduced non-compliance costs. There needs to be a balance of both costs. Martin Mckeay, author, blogger and QSA, conducted a fantastic interview with Larry Ponemon from the Ponemon Institute where they discuss this topic in further detail.
There are definitely different views of compliance. Most organizations are doing it because it’s mandated and they don’t have a choice, or doing it just to satisfy audit requirements. Others see it as part of their business culture to help them mitigate risk and become more secure. Stay tuned, as this will be the topic of another blog post.