Sure, the cost of compliance has been driven higher and higher by increased regulatory burdens over the years. But that's not all to the story. Many organizations spend more because they're wasting compliance dollars on piecemeal compliance programs, ineffective products, and expensive consultants when things go wrong.
"Businesses spend a lot of money on compliance and risk management. Effective compliance is a critical component of modern business, and the oversight environment is getting increasingly more complicated every day" says Geoff Harkness, managing director at MorganFranklin. "Rather than increasing compliance spend in direct relation to increasing oversight, businesses must figure out ways to make more effective use of future budgets."
Here's where Harkness and fellow security experts believe businesses should look to find the money they're wasting on compliance and audits.
1. Do Everything Manually
Doing something by hand may make sense in the kitchen or the workshop, but not in the data center. Today, IT departments waste time, money, and good marks with the auditors when they do their compliance audit and remediation work manually.
"Unnecessary waste occurs with companies who are using manual processes to conduct IT audits for all aspects of the audit," says Jason Creech, director of policy compliance for Qualys.
Tufin's Michael Hamelin agrees. Manual processes not only take a lot of manpower to pull off, they also end up jeopardizing the state of compliance. It's the very definition of waste--spending lots of money on a process that comes to nothing anyway. He says he's seen numerous customer prospects spend days on manual firewall audits for PCI only to see them knocked out of compliance with the next weekly firewall change window.
"Automation can play a huge part in aligning security and compliance goals by providing analytics and reporting that allows organizations to sync their efforts," says Hamelin, Tufin's chief security architect. "When you can leverage automation to be preventative, over time, it results in a more proactive and strategic approach to both security and compliance management, and instead of wasting money you create economies of scale."
2. Keep Your Left Hand Unaware Of The Right
If your left hand doesn't know what the right hand is doing, compliance spend will be for naught. Communication is critical, particularly between IT operations and policy development employees.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)