It is a lot more work to play catch-up-on-security every 3 – 6 months than to implement security and live by it every day.
What is the business value for an organization to become and remain compliant?
A new study conducted by the Ponemon Institute and sponsored by security solutions provider Tripwire provides some pretty enlightening – if not surprising – answers. The study, a review of security investments made over a 12-month period at 46 global companies, found that organizations that regularly review and maintain compliance with leading industry security standards and regulations spend about three times less annually than organizations that fall out of compliance. Most compliant organizations spend an average of $3.5 million annually on security while non-compliant organizations spend an average of $9.4 million.
“For those who do not do internal audits, the total cost of compliance is higher. They are likely doing manual work to get to ‘check-box’ compliance….They are doing the bare minimum and, when the external audit is over, they are back to business as usual and their systems are no longer in a compliance state, which makes them just as vulnerable as they were before the audit, so the cost of compliance is high”, Shenoy told Infosecurity. Every company, regardless of industry, is spending money for compliance, but not all are getting secure, Shenoy says. “It was the ones that invested in security practices that were reaping the benefits – those that focused on securing the business, rather than focusing on compliance alone. It does pay to be in a constant state of compliance.”