Most organizations don’t have a firm handle on how much they are spending to comply with various data privacy and security standards. But a new study of 360 organizations conducted by Aberdeen Group on behalf of Liaison Technologies, a provider of data integration and management software delivered as a cloud service, estimates that on average those costs are about 30 percent of the overall IT operations budget (OpEx). That suggests organizations take those requirements seriously. But it also creates a lot of frustration and consternation concerning a large portion of the IT budget that is being allocated to a task that does not directly create value for the business.
At a time when businesses are trying to build and deploy more applications to drive digital business initiatives, there’s a clear mandate to drive down those costs. Each new application deployed creates additional compliance and security costs. To make it sustainable to deploy more applications it’s safe to assume OpEx costs for privacy and security will need to be cut by at least 50 percent or more. Unfortunately, there’s a significant temptation to achieve that goal by applying the barest minimum of compliance and security possible with predictable results.
More troubling still, however, is the fact that the survey finds that despite spending 30 percent of their OpEx budget on privacy and security, three out of five organizations (58%) experienced at least one data breach in a 12-month period. The survey also finds that three out of four organizations (75%) experienced at least one compliance issue involving data in the 12-month period studied. There’s no direct correlation between the level of compliance achieved and there being a data breach, but chances are high those that incurred a data breach ran afoul of a compliance problem.'To make it sustainable to deploy more applications it’s safe to assume OpEx costs for privacy and security will need to be cut by at least 50 percent or more.' ~@mvizard Click To Tweet
One of the big reasons this occurs is that out of 11 regulations and frameworks identified as being common by Aberdeen, only 61 percent could claim compliance with all of them. Not surprisingly, Aberdeen suggests one of the biggest expense culprits when it comes to cost is that there is very little in the centralized accountability. It’s not uncommon for organizations to wind up implementing duplicate controls to meet different regulatory requirements. In fact, the study also notes that over half the respondents have three or more data types subject to privacy and security compliance requirements.
The relationship between cybersecurity and compliance has always been complex. If it were not for compliance requirements, it’s safe to say there would be significantly fewer cybersecurity defenses in place than there are today. There’s nothing quite as motivating for organizations to pay attention to cybersecurity than a potential compliance fine. The trouble is that too many organizations still equate compliance with being secure. Compliance regulations set a bare minimum standard for cybersecurity that is often relatively simple for cybercriminals to compromise. But achieving that bare minimum level of security is becoming cost prohibitive, which suggests it’s only a matter of time before organizations out of economic necessity begin to rely more on automation infused with artificial intelligence (AI) to achieve both compliance and more robust cybersecurity because the current state of spending on these tasks is simply unsustainable.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.