Posted on Oct 17, 2019
Compliance isn’t easy: it’s expensive, time consuming, and regulations are constantly changing. It may be hard to get buy-in from employees or leadership who see compliance as a barrier to productivity, and it may also be difficult to know when your organization falls out of compliance.
But if you’re doing business in a regulatory environment, you know how crucial it is to meet regulatory compliance and standards requirements. For one thing, standards and regulations are in place for a reason — to protect your data and the data of your customers.
For another, non-compliance costs more than twice the cost of maintaining or meeting compliance requirements — according to a study from the Ponemon Institute, the average cost for organizations that experience non-compliance problems is $14.82 million. That includes fines, forced compliance costs, and lost business.
To avoid these costs, it’s imperative that your company is proactive about compliance. Here are some suggestions for doing so:
It’s not enough to be compliant after the fact; make sure you’re proactive about checking for updated standards and regulations. This isn’t easy – according to Thomson Reuters Regulatory Intelligence’s (TRRI) Cost of Compliance Survey, the single biggest challenge for organizations is regulatory change.
In some industries, tracking changes to regulations can seem like a full time job; TRRI tracks 1,000 regulatory bodies worldwide. In the past year, TRRI captured 57,398 regulatory alerts from those bodies, an average of 220 updates to regulations and standards every day.
Most companies are unlikely to get quite that many daily alerts, but the time spent on regulatory changes can — and should — be significant. Compliance officers spend about 15% of their week on tracking regulatory changes and that number is likely to rise. TRRI finds that 71% of firms expect the amount of regulatory information published by regulators and exchanges to increase in the next year.
It’s hard to get excited about compliance if you don’t understand what regulations you’re complying with and why you have to be in compliance.
Make the process less opaque for your employees by offering training, explaining the regulations you have to follow, why those standards and regulations are important, and how that affects your employees’ daily jobs. (Also make sure they know the stakes — for them and for the company – if your organization falls out of compliance.)
While compliance is everyone’s job, there should be one central person who owns compliance.
Most large organizations have a compliance officer, while others have full compliance teams, but small or mid-sized organizations may not have the resources for a compliance champion or team.
If your organization doesn’t have a compliance officer already, designate someone to handle compliance issues. That person’s duties should include monitoring compliance, checking for updates to regulations and standards, and keeping the rest of your organization informed.
Compliance with security standards and regulations is not just a CISO problem. Because the penalties for breaches and non-compliance can be so severe, it’s important that your company’s legal professionals work with your compliance officer or your security team to review incidents, public disclosures, policies and risks, among other things.
A strong relationship with the legal department can help keep your company in compliance, and may help your board and leadership take compliance and standards more seriously.
It’s no longer enough to use static tools like checklists to monitor for compliance. Checklists are a snapshot. They only allow you to see if you’re in compliance when the checklist is being completed.
Automated tools allow you to monitor compliance in real-time, giving you continuous assurance that your organization is in compliance with regulations and standards, minimizing the cyber risks that may lead to a data breach, and minimizing the chance that human error may lead to a gap in compliance.
Automated tools also save you time. TRRI found that compliance teams still spend a significant amount of time tracking regulatory developments — 60% of teams spend between 1 and 7 hours a week amending policies and procedures to reflect current regulations. However, those numbers are down from where they were in 2012 and 2015, suggesting that more teams are using automated tools.
SecurityScorecard enables you to view and continuously monitor security ratings, easily add vendors or partner organizations, and report on the cyberhealth of your ecosystem. When an issue is detected, the platform automatically generates a recommended action plan for issue remediation in order to achieve a “target” letter grade for customers and their vendor and partner organizations.
It also provides access to breach insights and shows a clear record of issues that have impacted scores over time. Additional collaboration tools help enterprises better manage security and ensure continuous compliance with regulatory standards and frameworks.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.