The ROI of Security Compliance
Study Finds Compliance Cuts Costs, Improves OperationsWhile compliance with the Payment Card Industry Data Security Standard was the most-often reviewed for the study, since PCI-DSS impacts any entity that accepts payment cards, the study reviewed other guidelines and standards, such as HIPAA, Sarbanes-Oxley and the Federal Privacy Act, to name a few.
What the study found, says Rekha Shenoy, vice president of strategy for Tripwire, is that across the board, regardless of industry or standard, companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than companies that are categorized as non-compliant.
"There were not many differences among industries. They are all spending money for compliance, but they are not all getting secure," Shenoy says. "It was the ones that invested in security practices that were reaping the benefits -- those that focused on securing the business, rather than focusing on compliance alone."
Focus on security, and compliance will follow. Shenoy's message is one that is echoed often. "When you automate compliance and you are always in a compliant state," Shenoy says, "you are always secure and you are doing 'good' for the business." During this interview [transcript below], Shenoy discusses:
- How internal audits improve consistent security compliance;
- The fluid nature of security compliance;
- How investments made by financial institutions are proving for other industries and agencies the benefits of automated compliance audits.
Shenoy is Tripwire's vice president of strategy. Shenoy joined Tripwire in April 2007. Before Tripwire, Rekha held positions in corporate development, product management and marketing for performance management solutions, database tools and mainframe solutions, and in market research at BMC Software Inc. in Houston, where she drove strategic decisions around new technologies. She also worked at Questia Media Inc. and Compaq Computer Corp. Rekha holds a mater's degree in business administration, with a focus on marketing and finance, from Rice University. She holds a bachelor's degree in computer science and engineering from the University Visvesvaraya College of Engineering in Bangalore, India.
TRACY KITTEN: From PCI standards to complying with guidelines and expected mandates regarding emerging technologies, financial institutions, merchants and all industries and sectors that accept payment cards are faced with increasing pressure to improve security and protect consumer data. But some payment security initiatives continue to fall on deaf ears, as the benefits of enhanced security measures are often hard to gauge. Up to now, many entities, including banking institutions, medical-care providers and retailers, to name three, have done what they must to pass a security compliance audit and gone few steps further. But a new report from Ponemon Research finds that non-compliance actually costs more, especially over the long-term. I'm here today with Rekha Shenoy, vice president of strategy for Tripwire, a security and compliance-automation solutions provider that commissioned the Ponemon study.
Rekha, the study reviewed a number of compliance guidelines and standards, including PCI. What can you tell us about the findings, as they related to PCI compliance, as well as other guidelines, such as HIPAA, and are industries reaping benefits from compliance?
Compliance is Compliance
REKHA SHENOY: Sure. With regard to PCI, HIPAA, or any of these mandates, the common thread is about ensuring that data is protected. And so when you think about data protection, the issue is, "Are we really protecting that data? Are we really minimizing risk, and are we actually giving the business some benefits as a result of either getting secure or getting compliant? So, those are the big questions that we hear from our customers in a big way on either side of that spectrum.On the one hand, we have customers that say it doesn't benefit them at all, and so there is the challenge where they feel like it's a tax that is a burden on the company on an annual basis. Then, on the other end, this enabled them to actually start investing in security in a big way and actually improve things. So, we felt we needed to contribute to this debate in a way that was productive, by providing economic cost numbers that could quantify both the cost of compliance and the cost of non-compliance. In order to do that, we partnered with the Ponemon Group and they did this independent research. They talked to 46 global companies around these issues. The things they focused on were all of the different things that go into getting compliant: people, process, technologies, the auditors themselves, and so on. And then they focused on all the things that happen as a result of not being compliant. The breaches were only one part of that, but, obviously, a big part. They looked at the data breaches that actually happened and the resulting losses, but, in addition, they looked at the fines, the penalties, and, more importantly, the business disruption and the partners and the relationships that they lost as a result of not being compliant.
When all of these costs were put together and quantified, it was a staggering result to learn that the cost of non-compliance is, on average, about three times more than the investment being made on getting compliant. So, there absolutely is economic proof that non-compliance is costing companies enough for them to pay attention and do something about it.
No Industry is Immune
KITTEN: And what about industries across the board? Do you see the financial industry, for instance, reaping the same benefits that the medical industry reaps?SHENOY: That's an interesting data point. We do see some differences across the industries, but nothing significant. We do see that, in general, they are spending significant amounts of money for compliance across the board; but not all of them are really getting secure. So, the difference we saw wasn't on an industry basis. We saw companies that were actually investing in security-effectiveness processes, and those were the companies went across industries -- that was the interesting thing. There wasn't one industry doing better than the other, but it was the ones that had invested in security practices that were seeing dramatically lower costs of non-compliance, and it wasn't a function of how much you spent. So, basically, what it said to us was, "If you invest in actually getting secure, you will actually be doing good for the business by lowering that cost of non-compliance." But if you invest in compliance, which costs a lot of money, on average about $3.5 million, it doesn't necessarily help you, unless you are really securing the business.
KITTEN: When we talk about compliance and the cost of compliance, it doesn't really matter what the mandate is. It could be HIPAA or it could be PCI, but the cost is still the same, right?
SHENOY: Right. And prospects that we had talked to were across many, many industries. But the primary one that was either the one that was hardest to achieve or the one that was always top of mind was PCI, because it cuts across so many industries. But, absolutely, many of these companies are now in a world where they are dealing with multiple compliance issues and multiple compliance regulations that affect their business.
A State of Constant Compliance
KITTEN: Now, Rekha, you note that compliance is fluid, of course, meaning that it requires diligence and constant review. What did the survey reveal about companies that regularly audit to ensure that their compliance mechanisms or tools are always up to date?SHENOY: That's a good question, Tracy. It was interesting how Larry Ponemon used that as a metric to understand how seriously they took security. So, if you understand these companies, every one of them is getting audited by an external body. That kind of audit is happening to all of them. But then 28 percent of these companies had no internal audit of their own; what that meant was they are largely spending a lot of time, manually, trying to get to that compliance space in order to get the checkbox compliance score, and then they moved on to their day jobs. On the other end of the spectrum, there were companies that did five or more audits a year, and the only way you do that is if you've got some sort of automated compliance effort, so that spot checks could be done, which meant that they were always in a continuous compliance state. It was interesting to see how companies on either end of the spectrum reacted. Now, here was the interesting data. When you sliced companies by the number of internal audits, companies that did no internal audits had the highest compliance cost. In other words, they were spending the most dollar-for-dollar for compliance and also had the highest non-compliance costs, which we know is also related to breaches and so on. So, these guys had the highest cost. The companies that had gotten past that and were doing five or more audits a year on the other end of the spectrum actually had the lower cost, and maybe slightly higher than those that were doing one or two audits, but much, much lower than the ones that were doing no audits. They also were significantly lower in non-compliance costs. So, when you see that dramatic difference from the two ends, you can see that when you automate compliance and you are always in a compliant state, it's not a massive manual effort just to get compliant. When you go to that other side and you get secure, you are actually doing good for the business, and your non-compliance costs are much lower.
It's About Security, Not Just Compliance
KITTEN: Rekha, do you see the mindset, when it comes to compliance among industries, changing? I'm going to point to the financial institution space, for just a moment. It seems that financial institutions are evolving and accepting the fact that it's more about good security than it is about passing an audit. And I want to know if you would agree with that, and does the research support that assumption?SHENOY: So, I would agree that they are getting better, but I was surprised that the research didn't point out that they were among the best. So, they were certainly on the top end of the spectrum, when you look at the data broken out by industry, but, interestingly, they weren't necessarily the best.
KITTEN: And what about other industries, such as healthcare or perhaps even government? It seems that the healthcare industry is just the opposite, not very concerned about security so much as passing an audit. Would you agree with that, and did the research support that assumption?
SHENOY: Absolutely. So, you can see that healthcare is definitely on the low end of the investment that they are making in compliance costs, and their non-compliance impacts are, of course, much higher as well.
KITTEN: And what about government? I would make the assumption that government is very dedicated to security, but we've seen recently that local governments have been breached, especially when it comes to not complying with PCI. What does that tell us about compliance within governmental agencies?
SHENOY: So, that is an interesting point. Having talked with government customers and also seeing the data, what we're seeing is that it's a mixed bag. There is almost the identical situation in government as you see in commercial, where you've got this mix of people who get it and the people who don't. In other words, people who feel like they want to use the dollars to get secure and the people who want to get check-box compliant, and they are absolutely right in the middle of all of this. They are not more secure. The problem is they are actually better targets and bigger targets for organized crime, for the cyberattacks, and they are not actually doing a whole lot better than the commercial sector, when it comes to security and compliance.
KITTEN: Before we close, Rekha, I would like for you just to share with our audience the top five takeaways, and maybe one of those should focus on what industries could do to enhance compliance or change their mindset. What should the priorities be in 2011 and beyond?
SHENOY: I think one of the key things is we absolutely want to arm the business owners with the data they need to make the case that securing the business is good for the business. After years and years of adding total information on the topic, this is definitive proof that it actually helps the business. So, when you see the cost of non-compliance and you see companies that have gotten ahead of it, it's absolute proof that compliance helps the business to be secure. That is the most important factor in the motivation for this research, and I'm glad that the research pulled that out.
The second key point is that investing in automating compliance is a good investment, and it's not compliance in a way that you might think of, such as just automating paperwork, but, rather, automating all of the key pieces so that you're always secure and always compliant. That saves costs from an overall audit prospective, and that actually helps you lower your non-compliance costs. If you think of internal audits as just being one mechanism or one lever of that process that is automated, then you can see that actually helps companies get better. So, when you think of the security investments you're about to make, think about it in the context of how can you enable the security investment to pay off in the long term by lowering your cost of compliance and also lowering your impact of breaches, by recovering from breaches faster as well as lowering your penalties and fines and revenue loss as a result.