Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
November 4, 2022
IT and regulatory compliance are necessary to ensure your organization meets the standards for data privacy and security that apply to your industry, location and business functions. So how do you measure the return on investment (ROI) of your compliance program?
Executives may view compliance as a cost center, wanting only to invest in solutions that reach the bare minimum requirements. This perception can lead to a lack of support and funding to grow and maintain a healthy security program that yields higher results. If this point hits close to home, you’re certainly not alone. Many cybersecurity professionals have trouble quantifying or telling a story around how their compliance operations enable the business and save money in the long run.
Let’s break down several reasons and benefits of IT security compliance that can help you measure and communicate the value of your program to leadership.
Compliance Reduces the Risk of a Breach
The associated costs of a data breach can be devastating for any business. Reports suggest the cost rose from 3.86 million to 4.24 million in 2021 — and that’s just the average. Some high-profile cases can result in hundreds of millions in damage.
Depending on the type of cyberattack, a breach can have far-reaching impacts outside of just the targeted business as well. For example, the United States witnessed immediate economic impacts from the Colonial Pipeline ransomware attack earlier this year. Along with financial repercussions and compromised data, organizations may lose trust from customers and prospects after a severe cybersecurity breach. Recovery from these secondary effects can take numerous years:
“If an organization’s compliance program really delivers on the practice of applying technical security controls, rather than just being a checkbox exercise, the risk of experiencing a damaging data breach is significantly reduced. Consequently, a single prevented breach may well pay for the compliance program in its entirety.” – Andrew Hollister, Deputy CISO, LogRhythm
Protecting your company’s brand and reputation goes together with having a constant, reliable compliance program that shows your commitment to ethical behavior.
Cybersecurity compliance is often viewed as a cost center. When compliance is done right, the value of the program lies in the absence of incidents an organization experiences. It shouldn’t be understated just how much money, in fines or otherwise, a mature compliance program can save your organization.
Compliance Reduces Your (Rising) Cost of Fines
Depending on your industry, you may find that regulations and mandates are increasingly driving hefty compliance fines that have a huge impact on businesses. The risks of being non-compliant outweigh the costs of investing in the right processes, tools and overhead long-term.
In recent years, we’ve seen the Health Insurance Portability and Accountability Act (HIPAA) costs reach staggering numbers with resolution agreements and civil money penalties. General Data Protection Regulation (GDPR) fines are going up as well, increasing 20% from 2020 to 2021.
Keeping up with cybersecurity regulated compliance requirements is more important than ever before, especially for government agencies as President Biden’s recent executive order makes security a top priority for the nation. Although only federal government agencies are directed to take immediate action to improve their data protection, the government recommends state and local agencies, as well as private companies, follow suit.
Automating Compliance Saves Time and Money
Data protection should be more than just checking the boxes to make sure the organization avoids fines and penalties. If you invest the time and resources upfront to streamline compliance with your security program, you can more easily argue to stakeholders, prospects, customers, partners and more that you are protecting all critical data, not just what’s regulated.
Regardless of whether your organization has a mature or undeveloped compliance program, automation will extend efficiency and innovation across key areas of your business and increase ROI. With the growing number of mandatory compliance standards, automation can reduce the management overhead and analyst effort by eliminating duplicate content.
Reviewing the control requirements each framework outlines can seem daunting. That’s because frameworks often outline ten to twenty control domains, each of which contain just as many controls. The result is a standard framework of anywhere from 200 to 400 controls and procedural requirements for your GRC, security and IT teams to implement. How do you efficiently implement processes for each in a reasonable timeframe?
There are many tools and technologies available today that can help you streamline compliance efforts, ultimately leading to less time spent implementing procedures, a more automated compliance program and a larger ROI. We’ll continue to use SIEM as an example of how that technology can help in those efforts, and how to practically implement it within your compliance program.
Most compliance frameworks place special emphasis on identity and access management controls. NIST 800-53 has several controls within its “access control” control family related to privileged account management. This includes employing the principle of least privilege, authorizing access to said accounts on a strict individual basis for security functions, and preventing non-privileged users from executing privileged functions.
If your organization has goals to be compliant with NIST 800-53, your compliance program will be interested in how these privileged accounts are identified and monitored within your environment. Using SIEM analytics can afford you various monitoring capabilities depending on the audit trail you’d like to maintain. For instance, you can develop a SIEM analytic that monitors all log sources for password modification activity based on a pre-defined list of privileged accounts. This means that every time a password to any account on the privileged user list is changed, an alert will be triggered.
Through the alerts and activity logs, your compliance team and management can quickly assess which account was affected, the user who implemented the change, when the event occurred and more. Compliance can determine whether the password change was appropriate and followed necessary control steps. Reports based specifically on this activity can be created for high-level analysis, that expedites an access review process while providing management with a succinct, consistent way to access activity from an automated output.
Leveraging the power of real-time analytics delivers reliable and continuous compliance. It’s more than a report at the end of the month that tells your auditor that there were communications from the open internet to your PCI enclave. Monitoring compliance controls through analytics can detect this in real time and close the window for compromise or reducing the impact of an attack.
When you’re demonstrating ROI, it’s important to use quality metrics that demonstrate a correlation and reduction in legal, financial and reputational risks. Here are some ways to quantify how your compliance program benefits the organization, reduces risk and provides return on investment.
Consider Your Compliance Goals and KPIs
When measuring the value of your operations, consider what your goals are such as:
You can determine a standard value for a data breach based on market and industry estimates. For example, you can present a case to stakeholders showing your return by multiplying the number of breaches you prevent times the cost of a breach. Then you can argue how your compliance investments and upfront costs reduce risk and benefit the organization long term.
Assign Financial Value to Acceptance/Mitigation of a Given Risk
Qualitative values can be assigned a financial value. Consider the following possibilities:
Here are several quantitative examples that you can measure:
Although compliance can be a complicated and expensive component of business, you can play a leading role in educating employees and leaders on the value of a compliance program and provide evidence of how it reduces financial, legal and reputational risk.
When pitching to the board, link quality metrics coming from your compliance efforts to strategic business objectives to gain executive advocates and increase budget and support.
Let us know what you need, and we will have an Optiv professional contact you shortly.