In today’s security landscape, most organizations spend a large portion of their security budget on compliance-related activities. Despite this growing investment in compliance, only a small percentage of organizations believe that government regulations help improve cybersecurity. To help security leaders reduce compliance complexity, costs, and efforts, global IT research and advisory firm Info-Tech Research Group has released its new Build a Security Compliance Program blueprint.
According to the firm’s research, the cost of complying with cybersecurity and data protection requirements has risen to the point where most organizations see it as a barrier to entering new markets. However, research in the report also shows that the cost of non-compliance can be up to three times greater than the cost of compliance.
“These days, it is hard to find a security leader who welcomes new regulations,” says Kate Wood, security and privacy research practice lead at Info-Tech Research Group. “The majority of organizations already manage five or more compliance obligations, and most allocate at least 25% of their security budget to compliance activities. Yet, for all the good intentions behind these regulations, very few security professionals believe that government rules improve organizational cybersecurity. At this point, compliance obligations are inevitable, but it is possible to manage them without breaking the bank.”
Info-Tech’s blueprint highlights the benefits of having an effective security compliance program. For example, for IT, a security compliance program reduces the complexity within the control environment by using a single framework to align multiple compliance regimes, decreases costs and efforts related to managing IT audits through planning and preparation, and improves information security practices through self-assessments.
For the business side, an effective security compliance program provides senior management with a structured framework for making business decisions on allocating costs and efforts related to cybersecurity and data protection compliance obligations. It also helps to reduce compliance risk and enables visibility into compliance status.