ROI Compliance – A Recurring Theme


Across industries, requirements for compliance with Government and International standards for protection cloud, data and personally identifiable information (PII), Protected Health Information (PHI) and Controlled Unclassified Information (CUI) are beginning to tighten and becoming more complex. As a result, the required investment in best practices, human capital resources, independent auditors, and other services is a more visible cost within the organization. As a result, a recurring theme of, “what is the return on investment (ROI) for…….” where the blank represents the latest cyber, cloud or privacy requirement, has occurred.

Capturing the ROI on compliance can be elusive as it is often contingent on articulating the cost of non-compliance. At EmeSec, we recommend that companies look at ROI from three distinct perspectives:
• Breach Cost(s)
• Investment Cost(s)
• Opportunity Cost(s)

For example, breach costs may include internal damages as well as external credit reporting and reputational trust issues. Investment costs may include personnel, devices, services, and subject matter experts needed to support compliance. Opportunity costs related to driving alternative revenue or participating in a significant project could result in broader, longer-term growth implications.

Let’s examine each ROI area more specifically:

Breach Costs are Not Negligible

According to a Ponemon Institute survey, it now takes a large organization an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyber attack, with the total price tag for a data breach now at nearly $640,000. Building and maintaining a reputation as an organization with a high degree of compliance mitigates reputational damage that can otherwise result from compliance failures. To note, this may or may not include the credit reporting and follow-on actions required by government contractors.

The cost of reputational damage, although harder to quantify, should be added to the “hard” costs of incident response including any proactive secure communications work, which we regularly recommend. Other proactive breach prevention work includes technical network design and architecture, automated vulnerability assessment and mitigation, and encryption use for data at rest or in transit.

Investment ROI

As most companies are inevitably transitioning to become digital businesses, security and compliance will be the foundation for the future of your business. The development of a strong information security program, with the appropriate policies and procedures, can reduce the amount of maintenance costs derived from compliance personnel (labor) and activities (automated scanning, automated inventory updates, reporting and alerts). Employing a consulting service or MSSP delivers the option to save overhead costs (taxes and benefits) while potentially affording the organization a more effective means of gaining expertise at a lower cost point.

The manner, in which procedures and policies are established, managed and updated, can create ROI. For example, with one customer, we were able to offer enterprise cloud policies for multiple CSP solutions. Previously, the organization had numerous procedures and policies for each solution hoping to gain FedRAMP compliance.

Using Compliance to Grow Revenue and Profit

Perhaps the most overlooked aspect of calculating the ROI of compliance is lost business / project opportunities. Establishing cybersecurity legitimacy and a strong foundation for data protection can be a springboard for public and private business development opportunities. Cyber due diligence has become a critical part of companies’ sales engines and will continue to directly impact their new business pipeline. Progressive companies market their security practices as a strategic business advantage over competitors. When calculating the ROI of compliance, it’s important to factor in the value of sales and the marketing advantage that your demonstrated due diligence brings to the table.

In 2016 and beyond, the ability to ensure data privacy and information protection is a fundamental business tenet. Proactively demonstrating to key stakeholders like current customers and prospects your due diligence and compliance accomplishments is no longer a distinct advantage. It is the bare minimum to stay competitive.

Contact EmeSec to learn more about leveraging our CISO-as-a-Service and other services including FedRAMP, PII, PHI, CUI compliance cconsulting support