The realm of IT security and cybersecurity is an increasingly complex world that is governed by a variety of security compliance regulations depending on your organization’s industry. For example, organizations in the United States that focus on health care would need to adhere to the security compliance standards outlined in the Health Insurance Portability and Accountability Act (HIPAA). Retail companies or any organizations that accept, process, store, or transmit credit card information are subject to the information security compliance requirements of the Payment Card Industry Data Security Standard (PCI DSS).
Other security compliance standards that many U.S. federal agencies, government bodies, and educational institutions need to abide by including the Federal Information Security Modernization Act (FISMA) and the National Institute of Standards and Technology (NIST) framework guidelines. Most recently, companies that work with clients or consumers who reside in Europe must adhere to the European Union’s General Data Protection Regulation (GDPR) requirements.
There are plenty more forms of compliance that are included in the “alphabet soup” of industry regulations, including:
- The Gramm-Leach-Bliley Act (GLBA),
- The Family Educational Rights and Privacy Act (FERPA), and
- The Health Information Technology for Economic and Clinical Health Act (HITECH).
We understand that it can feel impossible to know or keep up with them all. This is why it’s essential to ensure that your organization has a knowledgeable and skilled security compliance manager in place to handle these critical concerns.
An issue that some of our prospective clients run into is that they initially have no idea how much adhering to security compliance standards will cost their organization. Security compliance costs are the expenses that a business or organization incurs to abide by industry regulations, such as the salaries of compliance employees, new systems or services that are required to help meet compliance standards, and the amount of time and money they spend on reporting.
What to Consider When Evaluating Security Compliance Solutions
1. How are you looking to handle your security compliance and IT security initiatives — by using an in-house or by working with a third-party service provider, such as a managed security service provider (MSSP), to serve as a security compliance manager?
Hiring, managing, and continually training in-house employees is an expensive endeavor. In addition to salary costs and benefits, there also are the fees associated with the technologies they will require to perform their job functions, as well as the costs of training them to help them stay up-to-date on changing security compliance requirements and technologies.
Considering that Payscale.com lists the average salary of a compliance manager as $101,601, you’re talking about dedicating considerable financial resources even for just one in-house employee. When you partner with a managed security service provider to serve as your security compliance manager, you’re gaining access to a dedicated team of professionals that will be there to work with you and to answer your questions. With a managed security service provider, you won’t have to worry about Cathy in Compliance going on vacation or getting sick and not being available when you need her.
2. Can you save on security compliance costs and still fully adhere to regulatory requirements by replacing any existing on-premises solutions with bundled, cloud-based, or managed IT security solutions?
There are benefits and disadvantages to any IT security solution for different organizations. However, evaluating whether an on-premises solution or a cloud-based one is more advantageous or financially beneficial will depend on different factors affecting your organization, including:
- The size of your organization;
- Up-front costs of servers and storage vs. cloud services;
- The age of your existing IT systems;
- Reliability of services; and
- Redundant data backup capability options.
You would need to evaluate your existing solutions and compare them to bundled or cloud-based solutions that are offered by a trusted MSSP to determine what would be the best choice for your organization. Frequently, a cloud-based solution is more cost-effective for small to medium-sized businesses (SMBs) than purchasing and maintaining on-premises servers and the necessary security compliance-related solutions and security measures. However, it’s imperative that you take the time to properly research every provider you consider — what they offer, what they include in their service agreement, and what they’ll ultimately cost (including any hidden costs). This way, you go into an agreement with both eyes wide open.
3. What is your organization willing to do to integrate security compliance into your standard operating procedures (SOPs) versus what you want an MSSP to handle?
This again comes back to the question of whether you want to handle these functions in-house versus partnering with a managed security service provider. Compliance should be part of your organization’s risk management strategy. This includes performing regular compliance risk assessments along with the broader IT security risk assessments of your business.
4. If you’re looking to partner with an MSSP, does their service agreement specify compliance with appropriate laws and regulations governing consumer data?
When you partner with a managed security service provider, be sure to carefully read over their service agreement (or have your lawyer to do so) to ensure that it includes information concerning compliance effort with any regulating bodies as well as state and national laws. Some providers will not take responsibility for security compliance in their service agreements but may lead you to think they do. Then, when something goes wrong, you suddenly find your organization “under the bus.”
5. Do you need for these costs to pull from your capital expense (CapEx) budget as a big one-time investment, or do you need them to be included in your operating expense (OpEx) budget?
If your organization has a low cash flow, being able to tap into your OpEx budget can be a helpful alternative to making a significant purchase with your CapEx budget. With cloud-based services, you can pay for a monthly subscription service plan that makes your security compliance-related initiatives part of your reoccurring OpEx budget expenditures.
Furthermore, when you partner with an MSSP that uses redundant server backups at multiple locations for data backup and disaster recovery, it also can provide you with additional peace of mind in knowing that your invaluable data isn’t being stored in only one place. This means that if something were to happen to your data at one location, data backups would be available at another site or virtual location that you or your MSSP could then implement.
To learn more about the costs of security compliance, IT services, and the costs associated with a lack of adherence to IT security best practices, check out our CFO’s Guide to Cybersecurity by clicking on the link below.