What's the best way to reduce the cost of complying with the privacy and data protections laws and the numerous regulations designed to protect the sensitive and confidential customer information that you store?
It's a tricky question to answer, but one that's worth exploring, as compliance can have a very significant cost. A survey of 46 multinational companies carried out by the Ponemon Institute and the security company Tripwire found that the average annual costs of compliance-related activities ranged from $446,000 to more than $16 million, with an average of $3.5 million. The highest proportion of spending was directed at providing security measures for stored data, but other activities included creating policies, communicating these policies to staff, compliance monitoring, enforcement and staff certification.
The bad news is that compliance costs don't end there. That's because compliance efforts are never 100 percent effective at protecting stored data--if they were perfect, then no "compliant" company would ever suffer a data breach. And non-compliance has a cost. Firstly, there are fines and penalties that may have to be paid for non-compliance, although it turns out that these are relatively insignificant. The most significant cost of non-compliance is far more business related, and comes from business disruption (e.g., cancellation of contracts or business process changes imposed by regulators), productivity loss (time lost because systems and other critical processes experience downtime) and revenue loss (including reduced customer turnover and diminished loyalty due to lost trust and confidence in the organization.) You have only to look at the recent data security breach at Sony's PlayStation Network, where millions of customers' records were stolen, to see the huge impact a data loss can have on business, productivity and revenue generation.
1. Concentrate on the total cost of compliance, not just what you spend on compliance
If you want to drive down storage compliance costs and you concentrate on what your organization is spending on compliance, you are looking at only part of the picture. What you should be looking at is what we might call "total compliance cost"--the cost of your compliance activities, plus the costs incurred as a result of being non-compliant. The reason it's so important to include non-compliance costs is that they are very significant: The survey found that on average, non-compliance costs were 2.65 times greater than the cost of compliance, and in all but two of the 46 companies questioned, non-compliance costs exceeded compliance costs.
2. You may have to increase your spending on compliance to reduce your total cost of compliance
The fact that non-compliance costs are often far greater than compliance costs has important implications when it comes to minimizing total compliance costs. Clearly one sensible approach is to look at reducing non-compliance costs. The most direct way to do that is to improve your compliance efforts--which probably means increasing spending in that area. So, counter-intuitive though it may be, one way to reduce total compliance costs might be to increase your compliance spending. This, of course, assumes that the increased spending is done effectively. "The cost of non-compliance can be more expensive than investing in compliance activities. The question is, how much to spend on one to minimize the other," said Dwayne Melancon, a Tripwire vice president.
One clue to answering this question comes from an analysis of the survey data. The premise that increasing the amount of compliance spending offsets the cost of non-compliance was tested, and although that couldn't be determined directly, it was found that the smaller the gap between compliance and non-compliance costs, the lower the frequency of lost or stolen data.
Getting your head around what this actually means is by no means easy, but let's have a go at it anyway. Increasing your compliance spending--perhaps to improve data security--will, all things being equal, reduce the gap between your compliance and non-compliance costs. A reduced gap would point to fewer security breaches, which in turn points to reduced non-compliance costs. So increasing one should offset the other, but it's not clear that you'll experience an overall savings.
3. Increasing your security effectiveness can bring down your cost of non-compliance
The Ponemon study used a security effectiveness score (SES) to measure each organization's security posture. (An SES is derived from the rating of 25 information security and data protection practices.) What it found is that SES is inversely related to non-compliance costs. In other words, the more effective your security, the lower your non-compliance costs--and therefore your total compliance costs.
While this is not unexpected, it does beg the question of where exactly you should beef up your data security to reduce you non-compliance costs the most. In fact, the survey identifies a number of SES attributes with high correlations with reducing non-compliance costs, and these include:
- Monitoring and strictly enforcing security policies
- Attracting and retaining professional security personnel
- Ensuring minimal downtime or disruptions to systems resulting from security issues
- Preventing or curtailing viruses, malware and spyware infections
4. Internal compliance audits may reduce the total cost of compliance
What else can be done to drive down total compliance costs? As it happens, one thing that appears to be particularly effective is carrying out compliance audits.
At first glance this sounds strange--carrying out a compliance audit costs money, and therefore increases compliance costs. But the survey found a inverse relationship between frequency of compliance audits and non-compliance costs. It also found that organizations that do not conduct any compliance audits experience the highest total compliance costs (when adjusted for size), while organizations that conduct five or more per year have the lowest total compliance costs.
It's always wise to be cautious when looking at these sorts of survey figures because a correlation doesn't necessarily imply causation. It may be that companies that carry out five or more audits are the ones that have embraced a compliance culture and take data protection more seriously than those that carry out fewer--and therefore incur lower non-compliance costs. Merely carrying out more audits, in and of itself, may not be enough to reduce data loss in your organization. But it could be that there is a causal relationship between audits and non-compliance costs: Carrying out audits might make the overall compliance burden more manageable, leading to fewer compliance breaches.
The conclusion of all of this is that reducing the total cost of compliance in your organization is almost certainly possible but far from straightforward. The key to spending less may well be choosing the right areas in which to spend more.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.