Compliance is expensive.

In fact, according to IT security analyst firm The 451 Group, nine different security technologies are required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development life cycle), and a vulnerability management solution.

Then there are the services: a qualified security assessor, an approved scanning vendor, and, in the case of a breach, a qualified incident response assessor.

For small and midsize businesses (SMBs), the costs can be overwhelming, says Joshua Corman, research director for The 451 Group's security practice.

"There is no way a painting business is going to do all this stuff," Corman says.

The result is that most small firms throw up their hands, Corman says. While a large company can shell out hundreds of thousands of dollars for assessment and compliance solutions, that sort of money is not in the budget of most smaller firms.

"If they pay attention, it's because compliance forced them to become more aware," Corman says. "They definitely don't overspend on security. The primary concern of an SMB, especially in a down economy, is, 'Can I make payroll on Friday?'"

Yet, even small companies may need to comply with at least one -- and sometimes more -- of the security regulations that govern the data they store on their servers. Medical firms need to abide by the Health Insurance Portability and Accountability Act (HIPAA). Small banks have to comply with the Gramm-Leach-Bliley Act (GLBA). And any firm holding credit-card data needs to be compliant with the Payment Card Industry (PCI) Data Security Standards.

For SMBs, perusing the PCI standards is a good first step, Corman says, because most businesses accept credit cards and because many other standards use the PCI requirements as a starting point. "It is not a bad proxy," he says.

There are three main categories of compliance costs, experts say. The first is initial design and implementation of systems to collect the data and create the reports needed to pass future audits. Because many smaller businesses do not have dedicated IT staff -- never mind IT security staff -- the company usually has to pay a security consultant or assessor to do this work.

The second major cost is the ongoing effort needed to collect the data necessary for compliance validation. Companies that do not build efficient initial designs can pay the price in labor, Corman says. "One client kept track of the time spent on compliance and found that, in year one, they spent 60 percent of staff time on collecting log data for reports," he says.

Finally, SMBs must pay an auditor to verify they are complying with regulations.

Despite its costs, compliance can be beneficial as a way to get small businesses thinking about security, say experts.

"All of them are concerned about compliance, but it is not the compliance that they should worry about," says Gray Williams, managing director of Tata Communications' managed security services group. "How do I get to the point where I can have that rational conversation about how secure is adequately secured?"

Convincing companies to think about improving security through a compliance program is not always easy, observers say. Many companies look to minimize their compliance costs and go for the checkboxes, without really paying much attention to real security -- even though fixing their security problems can mean avoiding a costly breach.

"As one CIO put it, 'I might be hacked, but I will be fined.' So they will always tackle compliance first," Corman says.

The first step to a better, and less expensive, compliance program is to question whether your company needs to be storing sensitive data at all. Companies should survey their data collection practices to discover what sensitive data they can jettison, Corman says.

"The biggest lever that companies have is, the less data that you have, the less expensive an audit is going to be," he says.

Companies that minimize the number of systems that handle data can significantly reduce the cost of an audit as well, Corman says.

"If you have 20 systems that touch the data, then your PCI scope is those 20 systems," Corman explains. "But if you can reduce the scope to four systems, you have dramatically reduced the complexity of your compliance burden."

Automation and managed services can help reduce the costs and hassles of administering security applications, experts observe.

"The automation is really that first level of defense," says Kurt Mueffelmann, president and CEO of HiSoftware. "If someone wants to get around the system, they are going to find a way. But if you can protect against the people that don't mean to do it, then it has value."

Finding a good assessor is a big part of the battle, according to compliance experts. By consulting with a qualified security assessor (QSA), companies can design their infrastructure to make compliance easier.

Don’t use the same company to assess your compliance and provide a solution -- even if it costs less, Corman says. It's not unheard of for an assessor to fail a client in a specific area in order to sell a product that "fixes" the problem, he says.

"SMBs might want one-stop shopping to save money, but it is a healthy practice to make sure that you are not getting your auditing from companies the sell products," Corman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.