The Ponemon-Sullivan Privacy Report includes original columns and a roundup of worldwide privacy news. It’s the best way to keep up with Ponemon Institute Research and Bob Sullivan’s opinions. Keep informed, sign up here.
Have you ever noticed how some organizations wield compliance like a club when marketing their products or services? They remind you of the latest in information security regulations, such as the HITECH Act or Mass 201 CMR 17, and then menacingly predict doom for those who transgress. If you fail to comply, their messages warn like a cross schoolmarm, the boogey man will flash his regulator badge and lower the boom (unless, of course, you buy the appropriate product or service).
The problem isn’t that the products or services offered by many companies are not able to help companies to become compliant with a variety of regulations. To the contrary, the need for information security and data protection has been catalysts for a great deal of innovation both in technology and services. But rather than being received by a market that recognizes its need to do a better job of protecting and managing sensitive information, the message has become resonant dissonance.
Yet we know organizations that with good data security strategies and practices can reduce their financial risk by avoiding costly data breaches and minimizing their impact when breaches do occur, so why isn’t the message more effective? The reason is because fear has been compliance’s primary motivator and in business, fear is a lousy motivator.
So the Ponemon Institute set out to determine the financial benefit to organizations that adopt and implement compliance-related activities, including processes, policies, people and technologies. Non compliance costs included things like fines, legal fees, and lost opportunity costs. We examined these activities for 46 multinational corporations in a benchmark study underwritten by Tripwire Inc., and we believe the findings are revealing. We also hope they will provide much needed support for information security and compliance professionals advocating for the resources to do their jobs. Among the findings:
Non-compliance costs are 2.65 times higher for organizations than compliance costs. That means that companies with ongoing investments in compliance related activities actual save money compared with those organizations that fail to comply with various domestic and international security regulations. Of the companies we studied, compliance costs averaged $3.5 million, while non-compliance costs averaged $9.3 million, meaning those organizations that invested $3.5 million in compliance saved $5.8 million.
The full report offers a detailed description of our methodologies, industry cost comparisons, and other detailed descriptions of our findings that we hope will prove to be illuminating.
We hold firmly to the belief that compliance is a foundation, not a ceiling, and that no organization should be satisfied with maintaining only minimum standards for protecting the data they and their customers value. Instead, a holistic information security strategy that fosters a culture of vigilance, and is designed to anticipate and change as needed to respond to an ever-changing threat environment, is needed.
If we can help you to achieve that ideal, please let us know.