7 min read

Compliance Costs Are Eating Security Budgets

Ericka Chickowski

June 02, 2020

Compliance Costs Are Eating Security Budgets

 The cost of cybersecurity compliance is rising to unsupportable levels and enterprises are going to need to act soon if they are to keep the situation from hindering innovation, according to a new report. Conducted jointly by analyst firm Omdia and security advisory consultancy Coalfire, the study shows that over half of firms across all the major verticals are spending 40% or more of their IT security budgets on compliance today.

More critically, nearly six in 10 companies report that compliance stands as a barrier to enter new markets and prepare new services to meet compliance requirements.

"The compliance landscape has changed dramatically over the last 10 years," said Adam Shnider, Executive Vice President, Cyber Assurance Services, Coalfire. "Our research confirms that resource burdens have become unsustainable to the point that there may be no light at the end of the tunnel for organizations that fail to adopt new cybersecurity compliance strategies."

Compliance Headwinds

The burden of security compliance is no new phenomenon in the enterprise world. Two of the major challenges named by the Omdia study as today's top burdens have thrwarted many organizations for many years now, namely:

Manual effort and lack of visibility: The spreadsheet-centric, manual approach to proving compliance and the general lack of visibility into organizations' current controls makes assessment a painful process

No harmonization with security 'intent': More tricky is that internal teams and external assessors struggle to match up the security 'intent' of compliance requirements with the constant changes in technology stacks

What ups the ante of these perennial problems is the rapidly expanding scope and variety of requirements coming from a growing volume of new regulations. The study showed that approximately 70% of organizations are now subject to compliance with more than five standards or regulations. This added dimension exacerbates the existing issues and increases the costs of cybersecurity compliance programs.

What's more, existing and new regulations are cracking down more on checkbox compliance tendencies, requiring a greater depth of security maturity to meet requirements. As the report explains, more assessors are looking out for continuous cybersecurity monitoring—which "subject those who must comply with additional overhead and burden—often times doubling or tripling the impact of compliance for organizations already strapped for resources."

As the report explains, this puts pressure on budgets not just the costs of bringing in new technology. It adds tremendous people hours to maintain. The study showed that over half of companies spend a minimum of 1,200 hours per year on maintaining compliance and nearly half say they spend close to 20,000 hours annually maintaining compliance with multiple frameworks on six or more different systems.

Adding further complexity to the equation is the fact that more organizations are moving workloads to the cloud, which "adds a layer of knowledge and experience to any compliance program that could increase costs in the short term."

Compliance Transformation Necessary

The dynamics described by the report are exactly the opposite of what needs to happen as organizations try to accelerate into digital transformation. With compliance demands being consistently named as a blocker to moving fast into competitive markets, and no end in sight on the regulatory expectation side of the equation, enterprises must transform their compliance function in lockstep with every other technology initiative.

The report suggests the following five steps to serve as the bedrock of such a transformation:

  • Centralized solutions that support collaboration, automation, and visibility
  • Consolidation of compliance efforts to reduce strain on internal staff
  • Alignment with security initiatives to adopt a unified approach
  • Go-to-market alignment
  • The incorporation of business strategy and best practices

These strategies should be designed to reduce cost through greater efficiency, and increase the business value of compliance investments wherever possible. Top of the list for cost reduction is greater use of automation for evidence collection, for which the study showed 62% naming as a key strategy to reduce the impact of compliance efforts.

Organizations should also be seeking better ways to coordinate efforts internally and externally to reduce the amount of repetitive follow-up activities that must be done to prove out compliance with each regulation. This includes efforts like continuous testing schedules, ongoing compliance activity management calendars, and proactive assessor reporting, it explains.

"Despite the exponential growth in compliance obligations, our research shows that positive business and security outcomes are possible," said Alan Rodger, Senior Analyst, Omdia. "By adopting new best practices, some organizations are reporting 40-50% compliance resource savings, and many are using their improved security posture as a competitive differentiator."

Rodger's last point is key, because this will improve the ROI of compliance costs beyond simply meeting regulatory demands. The report showed that smart organizations are finding a way to market their compliance and security investments and use their compliance with frameworks and other best practices as a sales driver. Some 67% of companies use compliance as a market differentiator and 49% use security posture similarly. One respondent to the study reported experiencing a 33% sales pipeline conversion improvement once they started proactively marketing their compliance and security posture.



Ericka Chickowski

An award-winning writer, Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Chickowski’s perspectives on business and technology have also appeared in dozens of trade and consumer magazines, including Consumers Digest, Entrepreneur, Network Computing and InformationWeek.

View all posts

You might also like