December 14, 2017 By Douglas Bonderud 2 min read

Security compliance isn’t cheap. A recent Ponemon study found that compliance expenses have increased 43 percent since 2011, costing companies more than $5 million each year.

According to Bloomberg, meanwhile, U.S. and European banks are spending $20 billion to meet compliance requirements for the revamped Markets in Financial Instruments Directive (MiFID II).

As a result, opting out — choosing not to spend upfront and hoping for ideal outcomes — is now a consideration for enterprises faced with shrinking budgets and burgeoning consumer expectations. The problem is that, while skimping offers short-term savings, it also leads to massive long-term costs.

Rolling the Dice on Security Compliance

Dark Reading reported that many companies expect to invest more than $1 million toward General Data Protection Regulation (GDPR) readiness, and this number could increase as the new legislation’s rules around personal and corporate data are put to the test.

For small and midsized enterprises, this is a huge line item, especially if they don’t conduct much business overseas. What’s more, average costs almost never align with actual spending. Implementation and training costs, along with costs to keep compliance policies up to date, drive up the price.

According to Infosecurity Magazine, while the average cost of compliance now totals almost $5.5 million each yeah, the cost of noncompliance comes in at $14.82 million — almost triple the amount spent on meeting regulatory expectations. Although the bulk of noncompliance costs often stem from data breaches, other issues, such as vendor noncompliance and improper auditing procedures, also impact the bottom line.

Reputation plays a role as well. Noncompliant enterprises face challenges from consumers frustrated that their data wasn’t properly protected and increased scrutiny from regulatory agencies. Once governing bodies discover an organization hasn’t done its due diligence, proving compliance becomes a major stumbling block.

Not spending on compliance upfront is like rolling the dice: If the wrong number comes up, enterprises could lose it all.

Controlling Costs

Companies are spending just over 14 percent of their IT budgets on compliance, according to Infosecurity Magazine, but this likely won’t be enough to meet MiFID II and GDPR compliance expectations. Add in the emerging need for Internet of Things (IoT) regulation, and it’s a safe bet that businesses will need to up their spending significantly to avoid both the upfront and downstream impacts of noncompliance.

The good news is that there are ways to better manage compliance spending, such as:

  • Implementing automation. As noted by Professional Adviser, it’s possible to manage security compliance costs with automated tools that monitor the expiry of client data consent and set specific retention periods for documents. While these solutions require upfront spending, the potential savings are substantial.
  • Accountable culture. Training is a large component of compliance expense. Employees must have the knowledge and tools available to ensure that data is properly handled. By extending these efforts to create a culture of inherent accountability, enterprises can reduce the costs associated with piecemeal compliance efforts.
  • Vendor expectations. Vendors play a critical role in the compliance equation. For example, if a third-party cloud provider that handles client data isn’t compliant, the responsibility lies with the organization that owns the data, not the vendor. Enterprises can reduce their total compliance budget by including specific expectations and documentation in their requests for proposal.

Security compliance is costly and new regulations are driving up the price. This creates a simple choice: Spend now, or pay later.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today