Is the cost of regulatory compliance busting your budget? If so, you’re not alone. Many businesses are overhauling their information systems and management processes to fall in line with regulatory requirements being forced upon them. But the cost of regulatory compliance
First, it’s important to remember that a compliance strategy should be a side effect of a larger information risk management program. This one aspect alone can save you more money and time than anything else, because it allows you keep everything in perspective. I see so many organizations struggle to become “compliant” with, say, HIPAA. Then once they reach compliance in that area, they move on and struggle to become compliant with PCI DSS, and so on. It’s a continual cycle of starting anew with each compliance regulation until things are in check. All along, new processes and new systems are added that create complexities hardly anyone can afford to take on.
Figure 1 shows some common duplicated efforts in the name of a compliance strategy:
Figure 1 – Compliance duplication can have a hefty price tag and hinder business progress.
In my work, I often see numerous areas of overlap and redundancy. Look at the gist of the information security and privacy regulations you’re up against, and you’ll see that you can address most issues across the board by simply approaching things from an information risk perspective. In fact, many of the regulations require a formal risk assessment up front, but this is often skipped. Or people assume they know what needs to be done and just put policies and technical controls in place without looking at the big picture.
Depending on where you’re currently at with your compliance strategy (but the more advanced, the better), a great thing to do is an exercise in zero-based thinking. This is where you step back and ask yourself: If our compliance strategy were to perfect in every single way, how would it be different from the way things exist right now? What would we need more of? Less of? What would we do, or not do, knowing what we now know?
Regardless of what others are telling you, don’t purchase or implement a single thing in the name of compliance until you figure out where your company currently stands, what controls you already have in place and what it’s going to take to fill the gaps moving forward. The reality is the cost of regulatory compliance does not have to be expensive, but it’s often made that way because people are rushing to put things in place to meet deadlines and please their auditors.
Take a hard look at how you’re currently addressing compliance strategy. Placing a critical eye on your processes, policies and technologies will undoubtedly uncover numerous ways you can simplify things. As with other things in IT, simplicity is key -- if you don’t want compliance to make you crazy.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.
This was first published in May 2011