Data protection compliance costs less than noncompliance

Research has shown that having a CISO can lower the cost of a data breach. But is there an effect on the cost of data protection compliance?

In many industries, the value of data is increasing, and so is the cost of protecting sensitive and confidential information. Regulatory scrutiny of information security is higher in industries such as financial services and healthcare, but that doesn't mean other companies are off the hook. In addition to PCI DSS, HIPAA and state data-breach notification and privacy laws, international businesses now face the European Union's General Data Protection Regulation (GDPR), which takes effect in May 2018.

Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by data protection compliance costs. In a December 2017 report, "The True Cost of Compliance with Data Protection Regulations," the Ponemon Institute interviewed 237 functional leaders at 53 multinationals located in the United States and found that the average cost of compliance in fiscal year 2017 was $5.47 million, with companies allocating 14.3% of their IT budget to compliance spending. The average cost of noncompliance during the same 12-month period was $14.82 million.

According to researchers, key findings centered on six areas -- data security, enforcement, forensics and monitoring, program management, policy, and communications and training. Data security -- 63% of which was allocated to security technologies -- represented the highest average cost, at $2 million, and policy ranked the lowest, at just under $400,000.

The most difficult data-protection compliance to achieve, according to those surveyed, is with GDPR (90%), PCI DSS (55%), U.S. state laws (50%), HIPAA and the HiTech Act (39%) and the Sarbanes-Oxley Act (33%).

Business disruption represented the highest average cost at the companies surveyed, at $5 million, and fines and penalties were the lowest, at less than $2 million. As with any cost analysis, the devil is in the details; Jack Jones of the nonprofit FAIR Institute has complained that the information provided in the report is "a missed opportunity" and hard to decipher.

Data protection compliance is not the same as data security. However, according to the report, the cost of compliance is inversely related to the effectiveness of the company's security posture. In other words, organizations with a higher security effectiveness score -- or SES, a rating system based on Ponemon's proprietary methodology -- had a lower cost of compliance (and of noncompliance). Of the SES measures, a fully dedicated CISO topped the list.