Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


04:08 PM

The Compliance Officer's Dirty Little Secret

Fines may not equal cost of regulatory compliance, but they aren't the only cost of noncompliance

At many organizations, chief compliance officers (CCOs) conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for noncompliance if they're ever caught. Unfortunately, that gamble is made on flawed assumptions: Most of these initial calculations are based on numbers that don't figure in the long tail of cost incurred from noncompliance and data breaches.

This faulty calculation is the dirty little secret of today's typical CCO, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.

"There are a lot of compliance officers that just go into this maybe reading about what the fine will be, and they think that's all that is because they haven't been through it before and they don't see the long tail behind that," he says. "It's not just the front-end fines."

Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security, and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology and consultants to remediate problems when the regulators crack down, and the intangible costs of brand damage when word gets out about the company's missteps.

Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with noncompliance.

"Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate," he says. "It can be very expensive, and that's real hard costs: That's not the intangible costs of loss of trust and potential loss of business. People don't understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?"

[ How can you make your compliance spend more efficient? See 5 Ways You're Wasting Compliance Dollars. ] Apgar relates an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shop's response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, that's when things got squirrelly.

"When we brought in the attorney and the communications shop and so forth, it just fell apart," he says. "They didn't know what to do or where to go. There wasn't that linkage between a good, solid IT shop that was secure and then, when it spilled over into the business, what it would cost or what it would even take to address it."

According to Janacek, it will take a while yet for most CCOs to gather a broader picture of the risks as compared with the cost of compliance.

"I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization," says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad-hoc, on-the-job training. "But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing."

And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk, and compliance program.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.