Risk // Compliance
6/18/2012
04:08 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

The Compliance Officer's Dirty Little Secret

Fines may not equal cost of regulatory compliance, but they aren't the only cost of noncompliance

At many organizations, chief compliance officers (CCOs) conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for noncompliance if they're ever caught. Unfortunately, that gamble is made on flawed assumptions: Most of these initial calculations are based on numbers that don't figure in the long tail of cost incurred from noncompliance and data breaches.

This faulty calculation is the dirty little secret of today's typical CCO, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.

"There are a lot of compliance officers that just go into this maybe reading about what the fine will be, and they think that's all that is because they haven't been through it before and they don't see the long tail behind that," he says. "It's not just the front-end fines."

Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security, and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology and consultants to remediate problems when the regulators crack down, and the intangible costs of brand damage when word gets out about the company's missteps.

Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with noncompliance.

"Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate," he says. "It can be very expensive, and that's real hard costs: That's not the intangible costs of loss of trust and potential loss of business. People don't understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?"

[ How can you make your compliance spend more efficient? See 5 Ways You're Wasting Compliance Dollars. ] Apgar relates an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shop's response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, that's when things got squirrelly.

"When we brought in the attorney and the communications shop and so forth, it just fell apart," he says. "They didn't know what to do or where to go. There wasn't that linkage between a good, solid IT shop that was secure and then, when it spilled over into the business, what it would cost or what it would even take to address it."

According to Janacek, it will take a while yet for most CCOs to gather a broader picture of the risks as compared with the cost of compliance.

"I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization," says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad-hoc, on-the-job training. "But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing."

And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk, and compliance program.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web