Security Compliance: Spend Now or Pay Later

Security compliance isn’t cheap. A recent Ponemon study found that compliance expenses have increased 43 percent since 2011, costing companies more than $5 million each year.

According to Bloomberg, meanwhile, U.S. and European banks are spending $20 billion to meet compliance requirements for the revamped Markets in Financial Instruments Directive (MiFID II).

As a result, opting out — choosing not to spend upfront and hoping for ideal outcomes — is now a consideration for enterprises faced with shrinking budgets and burgeoning consumer expectations. The problem is that, while skimping offers short-term savings, it also leads to massive long-term costs.

Rolling the Dice on Security Compliance

Dark Reading reported that many companies expect to invest more than $1 million toward General Data Protection Regulation (GDPR) readiness, and this number could increase as the new legislation’s rules around personal and corporate data are put to the test.

For small and midsized enterprises, this is a huge line item, especially if they don’t conduct much business overseas. What’s more, average costs almost never align with actual spending. Implementation and training costs, along with costs to keep compliance policies up to date, drive up the price.

According to Infosecurity Magazine, while the average cost of compliance now totals almost $5.5 million each yeah, the cost of noncompliance comes in at $14.82 million — almost triple the amount spent on meeting regulatory expectations. Although the bulk of noncompliance costs often stem from data breaches, other issues, such as vendor noncompliance and improper auditing procedures, also impact the bottom line.

Reputation plays a role as well. Noncompliant enterprises face challenges from consumers frustrated that their data wasn’t properly protected and increased scrutiny from regulatory agencies. Once governing bodies discover an organization hasn’t done its due diligence, proving compliance becomes a major stumbling block.

Not spending on compliance upfront is like rolling the dice: If the wrong number comes up, enterprises could lose it all.

Controlling Costs

Companies are spending just over 14 percent of their IT budgets on compliance, according to Infosecurity Magazine, but this likely won’t be enough to meet MiFID II and GDPR compliance expectations. Add in the emerging need for Internet of Things (IoT) regulation, and it’s a safe bet that businesses will need to up their spending significantly to avoid both the upfront and downstream impacts of noncompliance.

The good news is that there are ways to better manage compliance spending, such as:

  • Implementing automation. As noted by Professional Adviser, it’s possible to manage security compliance costs with automated tools that monitor the expiry of client data consent and set specific retention periods for documents. While these solutions require upfront spending, the potential savings are substantial.
  • Accountable culture. Training is a large component of compliance expense. Employees must have the knowledge and tools available to ensure that data is properly handled. By extending these efforts to create a culture of inherent accountability, enterprises can reduce the costs associated with piecemeal compliance efforts.
  • Vendor expectations. Vendors play a critical role in the compliance equation. For example, if a third-party cloud provider that handles client data isn’t compliant, the responsibility lies with the organization that owns the data, not the vendor. Enterprises can reduce their total compliance budget by including specific expectations and documentation in their requests for proposal.

Security compliance is costly and new regulations are driving up the price. This creates a simple choice: Spend now, or pay later.


Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...