IT and regulatory compliance is necessary to ensure your organization meets the standards for data privacy and security that apply to your industry, location, and business functions. But how do you measure the return on investment (ROI) of your compliance program?
Executives may view compliance as a cost center and only want to invest in solutions that reach the bare minimum requirements. This perception can lead to a lack of support and funding to grow and maintain a healthy security program that yields higher results. If this point hits close to home, you’re certainly not alone. Many cybersecurity professionals have trouble quantifying or telling a story around how their compliance operations enable the business and saves money in the long run.
Let’s break down several reasons and benefits of IT security compliance that can help you measure and communicate the value of your program to leadership.
Benefits of an Effective Compliance Program
Compliance Reduces the Risk of a Breach
The associated costs of a data breach can be devastating for any business: reports suggest the cost rose from 3.86 million to 4.24 million in 2021 — and that’s just the average. Some high-profile cases can result in hundreds of millions in damage.
Depending on the type of cyberattack, a breach can have far-reaching impacts outside of just the business as well. For example, the United States witnessed immediate economic impacts from the Colonial Pipeline ransomware attack earlier this year. Along with financial repercussions and compromised data, organizations may lose trust from customers and prospects after a severe cybersecurity breach. These secondary effects can take numerous years to recover from:
“If an organization’s compliance program really delivers on the practice of applying technical security controls, rather than just being a checkbox exercise, the risk of experiencing a damaging data breach is significantly reduced. Consequently, a single prevented breach may well pay for the compliance program in its entirety.” – Andrew Hollister, Deputy CISO, LogRhythm
Protecting your company’s brand and reputation goes hand-in-hand with having a constant, reliable compliance program that shows your organization is committed to ethical behavior.
Cybersecurity compliance is often viewed as a cost center; the value of the program — if done right — lies in the absence of incidents an organization experiences. While this lends truth to the old adage, “no news is good news,” it should not be understated just how much money, in fines or otherwise, a mature compliance program can save your organization.
Compliance Reduces Your Cost of Fines (Which are Rising)
Depending on your industry, you may find that regulations and mandates are increasingly driving hefty compliance fines that have a huge impact on businesses. Do the risks of being non-compliant outweigh the costs of investing in the right processes, tools, and overhead long term? The answer is usually yes!
In recent years, we’ve seen the Health Insurance Portability and Accountability Act (HIPAA) costs reach staggering numbers with resolution agreements and civil money penalties. General Data Protection Regulation (GDPR) fines are going up as well, increasing 20% from 2020 to 2021.
Keeping up with cybersecurity regulated compliance requirements is more important than ever before — especially for government agencies as President Biden’s recent executive order makes security a top priority for the nation. Although only federal government agencies are directed to take immediate action to improve their data protection, the government recommends state and local agencies, as well as private companies, should follow suit.
Automating Compliance Saves Time and Money
Data protection should be more than just checking the boxes to make sure the organization avoids fines and penalties. If you invest the time and resources upfront to streamline compliance with your security program, you can more easily argue to stakeholders, prospects, customers, partners, and more that you are protecting all critical data, not just what is regulated.
Regardless of whether your organization has a mature or undeveloped compliance program, automation will extend efficiency and innovation across key areas of your business and increase ROI. With the growing number of mandatory compliance standards, automation can reduce the management overhead and analyst effort by eliminating duplicate content. For example, LogRhythm’s Consolidated Compliance Framework (CFF) integrates into the SIEM Platform limiting the overlap in our customers’ compliance programs. This removes inefficiencies from the workflow and quantifiably reduces labor costs. You can learn more about integrating technologies like security information and event management (SIEM) within your compliance program here.
SIEM’s Role in Augmenting Security Control Objectives
No matter where your organization is in the journey to a mature compliance program, reviewing the control requirements each framework outlines can seem daunting. Frameworks often outline ten to twenty control domains, each of which contain just as many controls; the result is a standard framework of anywhere from 200 to 400 controls and procedural requirements for your GRC, security, and IT teams to implement. How does one go about efficiently implementing processes for each in a reasonable timeframe?
There are many tools and technologies available today that can help you streamline compliance efforts, ultimately leading to less time spent implementing procedures, a more automated compliance program, and a larger ROI. We’ll continue to use SIEM as an example of how that technology can help in those efforts, and how to practically implement it within your compliance program.
Most compliance frameworks place special emphasis on identity and access management controls. NIST 800-53, for example, has several controls within its “Access Control” control family related to privileged account management; this includes employing the principle of least privilege, authorizing access to said accounts on a strict case-by-case basis for only security functions, and preventing non-privileged users from executing privileged functions.
If your organization has goals to be compliant with NIST 800-53, your compliance program will be interested in how these privileged accounts are identified and monitored within your environment. Using SIEM analytics can afford you various monitoring capabilities depending on the audit trail you’d like to maintain. For example, you can develop a SIEM analytic that monitors all log sources for password modification activity based on a pre-defined list of privileged accounts; this means that every time a password to any account on the Privileged User list is changed, an alert will be triggered. Through the alerts and activity logs, your compliance team and management can quickly assess which account was affected, the user who implemented the change, when the event occurred, and more. Compliance can follow up and determine whether the password change was appropriate and followed necessary control steps. Furthermore, reports over a period of time based specifically on this activity can be created for high-level analysis which expedites an access review process while providing management with a succinct, consistent way to access activity from an automated output.
Leveraging the power of real-time analytics delivers reliable and continuous compliance. It’s more than a report at the end of the month that tells your auditor that there were communications from the open internet to your PCI enclave; monitoring compliance controls through analytics can detect this in real time, closing the window for compromise or reducing the impact of an attack.
How to Demonstrate Compliance ROI
When you’re demonstrating ROI, it’s important to use quality metrics that demonstrate a correlation and reduction in legal, financial, and reputational risks. Here are some ways to quantify how your compliance program benefits the organization, reduces risk, and provides return on investment.
Consider Your Compliance Goals and KPIs
When measuring the value of your operations, consider what your goals are such as:
- Reducing identification and response time
- Reducing your overall estimated risk exposure related to compliance goals
- Identifying the most common compliance incidents
- Reducing the number and/or severity of internal and external IT audit findings
- Improving Mean Time to Repair (MTTR): Average time required to return equipment or systems to normal operations. May be referred to as “downtime.”
Based on your goal, you can determine a standard value for a data breach based on market and industry estimates. For example, you can present to stakeholders a case by explaining the number of breaches you are preventing times the cost of a breach to show your return. Then you can argue how your compliance investments and upfront costs reduce risk and benefit the organization long term.
Assign Financial Value to Acceptance/Mitigation of a Given Risk
Qualitative values can be assigned a financial value. Consider the following possibilities:
- Brand value (e.g., confidence of customers in your solutions, lack of data breaches in the news, level and consistency of external audit opinions on security, number of compliance certifications achieved)
- Ability to pursue new business opportunities (e.g., certain certifications may interest customers)
- Overall severity of post-audit findings and level of effort to remediate
- Customer confidence in the ability to rely on your offerings and tools as in-scope data and systems during the course of an audit
Here are several quantitative examples that you can measure:
- Increased earnings (customer confidence = more business)
- Cost savings (cost of noncompliance)
- Number of compliance issues closed over number of compliance issues identified
- Mean Time to Detect & Mean Time to Respond
- Total combined risk exposure of outstanding post-audit findings reported
Pitching Compliance and Reporting to the Board
Although compliance can be a complicated and expensive component of business, you can play a leading role in educating employees and leaders on the value of a compliance program and provide evidence of how it reduces financial, legal, and reputational risk.
When pitching to the board, link quality metrics coming from your compliance efforts to strategic business objectives to gain executive advocates and increase budget and support.