Cost of regulatory security compliance? On average, $3.5M

Quarter of companies don't do annual internal IT security compliance audits

The cost of achieving regulatory security compliance is on average $3.5 million each year, according to a survey of 160 individuals leading the IT, privacy and audit efforts at 46 multinational organizations.

"The True Cost of Compliance," a research study done by Ponemon Institute and sponsored by Tripwire, makes the point that if that $3.5 million figure for the average cost sounds high, the average cost for organizations that experience non-compliance-related problems is far higher -- $9.4 million. Costs related to "business disruption, reduced productivity, fees, penalties and other legal and non-legal settlement costs" pile up when legal and regulatory compliance goals are not met, the study asserts.

MORE RESEARCH: Regulatory compliance hogs security pros attention

The array of regulatory requirements facing organizations runs the gamut from the U.S. state laws for data breach to Sarbanes-Oxley to the European Union's Privacy Directive and more. But the Payment Card Industry Data Security Standard was deemed to be "most important" in terms of influence and "the most difficult to comply with," according to the survey's respondents.

"PCI seems to affect everyone," says Rekha Shenoy, Tripwire's vice president of strategy. She adds that the PCI DSS, unlike some compliance requirements, is very "prescriptive" in putting forth what's expected in terms of technologies and procedures.

The Ponemon report covered industries that include consumer products, technology, retail, industrial, public sector, healthcare, communications, education and research, financial services, transportation, pharmaceutical and energy. The survey respondents hold job titles that include chief information security officer, compliance officer, IT operations leader, audit director and others.

In divvying up "expense categories," the report says the use of "specialized technologies," "incident management," and "audit and assessment" take up large portions of data-compliance costs, with the corporate IT department, line of business and legal division regarded as functional areas that account for significant portions of the expenditures.

The burden of both compliance and non-compliance costs were highest in organizations with fewer than 5,000 employees and smallest in organizations with 25,000 to 75,000 employees, where economies of scale may apply.

In terms of the number of internal compliance audits performed each year, the report says "surprisingly, 28% of companies say they do not conduct compliance audits, and only 11% say they conduct more than five audits each year."

However, internal compliance audits seem to be worth it. According to the report's analysis, "organizations that conduct three to five internal compliance audits per year have the lowest per capita compliance cost (average $154). The highest compliance cost (average $341) is associated with organizations that do not conduct any internal compliance audits." In addition, the lowest per capita non-compliance cost (with an average of $226) is said to be associated with organizations that conduct five or more audits, while the highest per capita non-compliance cost (average $1,275) is associated with organizations that do not conduct audits.

Learn more about this topic

Regulatory compliance hogs security pros attention

Survey on PCI: How it's impacting network security

Encryption adoption driven by PCI, fear of cyberattacks

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies