December 14, 2017 By Douglas Bonderud 2 min read

Security compliance isn’t cheap. A recent Ponemon study found that compliance expenses have increased 43 percent since 2011, costing companies more than $5 million each year.

According to Bloomberg, meanwhile, U.S. and European banks are spending $20 billion to meet compliance requirements for the revamped Markets in Financial Instruments Directive (MiFID II).

As a result, opting out — choosing not to spend upfront and hoping for ideal outcomes — is now a consideration for enterprises faced with shrinking budgets and burgeoning consumer expectations. The problem is that, while skimping offers short-term savings, it also leads to massive long-term costs.

Rolling the Dice on Security Compliance

Dark Reading reported that many companies expect to invest more than $1 million toward General Data Protection Regulation (GDPR) readiness, and this number could increase as the new legislation’s rules around personal and corporate data are put to the test.

For small and midsized enterprises, this is a huge line item, especially if they don’t conduct much business overseas. What’s more, average costs almost never align with actual spending. Implementation and training costs, along with costs to keep compliance policies up to date, drive up the price.

According to Infosecurity Magazine, while the average cost of compliance now totals almost $5.5 million each yeah, the cost of noncompliance comes in at $14.82 million — almost triple the amount spent on meeting regulatory expectations. Although the bulk of noncompliance costs often stem from data breaches, other issues, such as vendor noncompliance and improper auditing procedures, also impact the bottom line.

Reputation plays a role as well. Noncompliant enterprises face challenges from consumers frustrated that their data wasn’t properly protected and increased scrutiny from regulatory agencies. Once governing bodies discover an organization hasn’t done its due diligence, proving compliance becomes a major stumbling block.

Not spending on compliance upfront is like rolling the dice: If the wrong number comes up, enterprises could lose it all.

Controlling Costs

Companies are spending just over 14 percent of their IT budgets on compliance, according to Infosecurity Magazine, but this likely won’t be enough to meet MiFID II and GDPR compliance expectations. Add in the emerging need for Internet of Things (IoT) regulation, and it’s a safe bet that businesses will need to up their spending significantly to avoid both the upfront and downstream impacts of noncompliance.

The good news is that there are ways to better manage compliance spending, such as:

  • Implementing automation. As noted by Professional Adviser, it’s possible to manage security compliance costs with automated tools that monitor the expiry of client data consent and set specific retention periods for documents. While these solutions require upfront spending, the potential savings are substantial.
  • Accountable culture. Training is a large component of compliance expense. Employees must have the knowledge and tools available to ensure that data is properly handled. By extending these efforts to create a culture of inherent accountability, enterprises can reduce the costs associated with piecemeal compliance efforts.
  • Vendor expectations. Vendors play a critical role in the compliance equation. For example, if a third-party cloud provider that handles client data isn’t compliant, the responsibility lies with the organization that owns the data, not the vendor. Enterprises can reduce their total compliance budget by including specific expectations and documentation in their requests for proposal.

Security compliance is costly and new regulations are driving up the price. This creates a simple choice: Spend now, or pay later.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today