Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


04:08 PM

The Compliance Officer's Dirty Little Secret

Fines may not equal cost of regulatory compliance, but they aren't the only cost of noncompliance

At many organizations, chief compliance officers (CCOs) conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for noncompliance if they're ever caught. Unfortunately, that gamble is made on flawed assumptions: Most of these initial calculations are based on numbers that don't figure in the long tail of cost incurred from noncompliance and data breaches.

This faulty calculation is the dirty little secret of today's typical CCO, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.

"There are a lot of compliance officers that just go into this maybe reading about what the fine will be, and they think that's all that is because they haven't been through it before and they don't see the long tail behind that," he says. "It's not just the front-end fines."

Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security, and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology and consultants to remediate problems when the regulators crack down, and the intangible costs of brand damage when word gets out about the company's missteps.

Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with noncompliance.

"Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate," he says. "It can be very expensive, and that's real hard costs: That's not the intangible costs of loss of trust and potential loss of business. People don't understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?"

[ How can you make your compliance spend more efficient? See 5 Ways You're Wasting Compliance Dollars. ] Apgar relates an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shop's response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, that's when things got squirrelly.

"When we brought in the attorney and the communications shop and so forth, it just fell apart," he says. "They didn't know what to do or where to go. There wasn't that linkage between a good, solid IT shop that was secure and then, when it spilled over into the business, what it would cost or what it would even take to address it."

According to Janacek, it will take a while yet for most CCOs to gather a broader picture of the risks as compared with the cost of compliance.

"I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization," says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad-hoc, on-the-job training. "But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing."

And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk, and compliance program.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.