the true cost of compliance

Join the conversation: #compliancecost

The True Cost of

Compliance


The True Cost of ComplianceDr. Larry Ponemon, Ph.D.Ponemon Institute LLC

Rekha ShenoyVP Marketing, Tripwire Inc.

IT SECURITY & COMPLIANCE AUTOMATION

Today’s Speakers

Larry Ponemon Ph.D.

Chairman and Founder, CIPP

Ponemon Institute LLC

Rekha Shenoy

VP Marketing

Tripwire, Inc.



Ponemon Institute

The Institute is dedicated to advancing responsible information management practices that positively affect privacy, data protection, and information security in business and government.

The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.

The Institute has assembled more than 60 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.

The majority of active participants are privacy or information security leaders.

4



About our Study

Our benchmark research focuses on 46 multinational organizations and their respective data protection activities over the previous 12 months.

Our research methods utilize an activity-based costing model derived from actual meetings and site visits.

Our methods attempt to capture both direct and indirect costs associated with the following core compliance activities:• Compliance policies

• Communications

• Program management

• Data security

• Compliance monitoring

• Enforcement

5



About our Study - continued

In addition to compliance activity cost, we captured the direct, indirect and opportunity costs associated when a compliance failure occurs. These include:

• Business disruption: The total economic loss that results from non-compliance events

• Productivity loss: The lost time and related expenses associated with the downtime of systems and other critical processes

• Lost revenues: The loss in revenue sustained as a result of non-compliance with data protection requirements and laws.

• Fines, penalties and other settlement costs: The total fines, penalties and other legal or non-legal settlements associated with data protection non-compliance issues.

6


IT SECURITY & COMPLIANCE AUTOMATION7



Summary of Key Findings

The cost of non-compliance can be more expensive than investing in compliance activities.

Industry and organizational size affect the cost of compliance and non-compliance.

The gap between compliance and non-compliance cost is related to data breach frequency.

Security effectiveness affects the cost of non-compliance.

Audits reduce costs of compliance.

Laws and regulations are the main drivers for investment in compliance activities.

8



Project Summary

We are pleased to present the results of the Cost of Compliance study sponsored by Tripwire, Inc. and conducted by Ponemon Institute.

The purpose of this study is to determine the total cost of compliance activities that relate to data protection for a benchmark sample of multinational organizations.

Our study involves 46 corporations and 160 respondents who are deeply involved in their organization’s IT compliance, data protection, security or privacy functions.

Utilizing activity-based cost accounting methods, we were able to objectively derive the direct and indirect costs for the present sample of organizations.

Benchmark response Freq.

Contacted 399

Agreement 67

Participation 50

Incomplete studies 4

Final sample 46

9



Industry Distribution of 46 Organizations

10



Industry Distribution of 46 Organizations

Approximate titles of 160 respondents

11



Global Footprint of 46 Multinational Organizations

12



Global Footprint of 46 Multinational Organizations

13



Average Compliance and Non-Compliance Costs

14


Average Compliance Cost by Activity Center

Six cost activity centers span the full economic impact of compliance costs associated with protecting data


Average Non-Compliance Cost by Activity Center

Four cost activity centers span the full economic impact of non-compliance costs associated with protecting data


Laws and Regulations: Main Drivers for Investments



Industry and Size Affect the Cost of Compliance



Difference in Costs is Related to Data Breach Frequency

The smaller the gap between compliance and non-compliance costs, the lower the frequency of compromised records


Secure Organizations Have Lower Non-Compliance Costs

Organizations with a higher security effectiveness score experience a lower cost of non-compliance.


Ongoing Audits Reduce the Total Cost of Compliance

Per capita non-compliance cost are inversely related to the frequency of compliance audits. Organizations that do not conduct compliance audits experience the highest compliance cost.


For more informationwww.tripwire.com/ponemon-cost-of-compliance

http://www.tripwire.com/ponemon-cost-of-compliance


www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

THANK YOU!

Larry Ponemon, Ph.D. Ponemon Institute, LLC

E-mail : [email protected]

http://www.twitter.com/MarkAEvertz

the true cost of compliance

Technology

costs of compliance

compliance activity

compliance failure

noncompliance cost

cost of noncompliance

security effectiveness

information security

data protection requirements