You no longer need to worry about compliance if you understand the total cost of being non-compliant. Should you happen to fall in this category then the infographic below may not be of much use.
In the first six months of 2015 there were 1,860 data breaches and 95% of the exposed records were a result of hacking. A fair number of those unfortunate victims of cyber-crime were indeed compliant. Unfortunately many were not. In the wake of dealing with customer churn, negative press and recovering from productivity affecting attacks they now had to deal with regulators and fines.
When protecting your sensitive data you have to set the foundation with a data-centric approach to risk management. The real world implications of a sensitive data breach are long-lasting reputational and financial damage for companies and consumers, even the high courts have lowered the bar for what constitutes harm to consumers in the event of a sensitive data breach. Although recent rulings are in flux once more the pressure from investors and consumers is mounting.
Many organizations are trying to reduce cost while driving efficiency, this has a large impact to security teams. There has been a trend to run security teams that only meet the compliance regulations, rather than holistic security programs. This does not support the foundation for a data-centric approach to risk management. Rather it deters from discovering where your sensitive data is and how to minimize the risk of a breach event.
Missing the basics of a security program by not meeting compliance regulations can mean some pretty hefty fines. In the infographic below we will take a look at what the impact is to your organization if your company doesn’t meet compliance regulations.
Download the full infographic here: http://info.spirion.com/rs/369-OZQ-876/images/true-cost-of-compliance-infographic_.pdf
There is a cost for non-compliance, but the argument can be made that even compliance is not a holistic look at a security program. You need much more. I sat down with Renee Murphy, Senior Analyst for Forrester Research and Neil Stelzer, General Counsel for Identity Finder. In the conversation, we discussed how to Reduce Compliance Risk with Data Classification. The conversation centered around the need to meet compliance standards, but that not being enough when building a security program. Renee talked about the two pillars of process, data classification and risk management. Through these two pillars you are able to know what data is important and how to treat it.
All too often we are caught as practitioners doing the day-to-day, responding to the blinking lights and we forget to take a step back and set the policies and strategy that our organizations need. This is not just checking off the boxes in the overly complex compliance regulations, but making sure that we have defined policies based on classification activities and risk management. These policies need to be reviewed by stakeholders, signed off on, and everyone has to agree that this is how we are going to operate.