Experience says it all, and many IT leaders have learned the hard way the consequences of not having a sound corporate compliance plan. Don't comply with regulations and you're bound to get hit -- either by regulators or by a data breach, and possibly both.
The numbers from a recent study by Tripwire Inc./Ponemon Institute LLC called "The True Cost of Compliance" underscores the importance of thinking long term and addressing compliance programs now.
Some notable findings in that report include:
- The cost of noncompliance was 2.65 times the cost of compliance ($9.3 million versus $3.5 million).
- The smaller the gap between compliance and noncompliance costs, the lower the occurrence of data breaches over a given time period.
- Twenty-eight percent of the businesses surveyed do not perform compliance audits and, in turn, experience the highest compliance costs.
A side note from this study that I found interesting was that respondents said state breach notification compliance was No. 2 on the priority list behind compliance with the Payment Card Industry Data Security Standard (PCI DSS).
But, in my work, I come across so many organizations -- including ones with dedicated compliance managers and vice presidents of compliance -- that are completely unaware of these state laws and thus have done nothing to address them.
The sooner businesses get rolling with information security best practices and compliance programs, the easier it is to lay the groundwork necessary to make things stick.
What I've witnessed over the years performing security assessments is that the sooner businesses get rolling with information security best practices and compliance programs, the easier it is to lay the groundwork necessary to make things stick. This is especially true for rapidly growing SMBs.
Here are some necessary questions to ask yourself and others responsible for your corporate compliance plan:
- If every single aspect of our corporate compliance plan were perfect, how would it be different from the way things function in our business today?
- How would we spend our time, effort and money differently?
- What would we do more of?
- What would we do less of?
- Would we stop doing certain things altogether?
Odds are your business processes and information systems environment are as simple now as they'll ever be. Why not address compliance programs early on so that compliance becomes part of a natural mindset when doing business?
As author Og Mandino once said, "Use wisely your power of choice." It's also been said that experience is something you don't get until just after you need it. You know what your business is up against, so vow to do something today to put your organization on the path towards enhanced compliance.
Even if it's something miniscule, everything you do will move your organization in the right direction. It's a business -- and career -- choice you won't regret.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.