At many organizations, chief compliance officers (CCOs) conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for noncompliance if they're ever caught. Unfortunately, that gamble is made on flawed assumptions: Most of these initial calculations are based on numbers that don't figure in the long tail of cost incurred from noncompliance and data breaches.

This faulty calculation is the dirty little secret of today's typical CCO, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.

"There are a lot of compliance officers that just go into this maybe reading about what the fine will be, and they think that's all that is because they haven't been through it before and they don't see the long tail behind that," he says. "It's not just the front-end fines."

Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security, and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology and consultants to remediate problems when the regulators crack down, and the intangible costs of brand damage when word gets out about the company's missteps.

Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with noncompliance.

"Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate," he says. "It can be very expensive, and that's real hard costs: That's not the intangible costs of loss of trust and potential loss of business. People don't understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?"

[ How can you make your compliance spend more efficient? See 5 Ways You're Wasting Compliance Dollars. ] Apgar relates an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shop's response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, that's when things got squirrelly.

"When we brought in the attorney and the communications shop and so forth, it just fell apart," he says. "They didn't know what to do or where to go. There wasn't that linkage between a good, solid IT shop that was secure and then, when it spilled over into the business, what it would cost or what it would even take to address it."

According to Janacek, it will take a while yet for most CCOs to gather a broader picture of the risks as compared with the cost of compliance.

"I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization," says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad-hoc, on-the-job training. "But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing."

And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk, and compliance program.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.