Many companies are seeking methods to meet regulatory and compliance requirements as cost-effectively as possible.

As example, for the healthcare industry it means complying to HIPAA. For any business that processes credit cards they must protect their customers’ credit card data by being PCI compliant. Other companies must comply with GDPR.

This can add entire layers of time and cost to implement or worse, cost-prohibitive fines if requirements are not met. Almost all industries are effected, including non-profit and education. Each having their own compliance requirements to meet the magic check box.

As example the DOD requires compliance with NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.  I’ve had customers tell me they can’t afford to meet these requirements and have stopped bidding on DOD contracts.

Compliance requirement can directly impact the bottom line and will not necessarily lower risk or help a company be more secure. The end result is you can be compliant and still have huge security holes and risks.  For example, Target years ago was supposedly PCI compliant. On paper they were doing everything right.  In the real world they experienced a very costly breech.

I see a significant difference between compliance and risk management. A good analogy of compliance is of a picture taken at a point in time.  I can look great in a picture, but it only captured that moment in time, it doesn’t guarantee I still look the same. That is one of the dangers of “being compliant”. A company can meet compliance requirements without really lowering risk at all.  So it’s possible to be compliant without being secure.

It can be costly to not be compliant though.  GDPR and HIPAA are both examples of GRC (compliance) requirements that could result in a very costly fines.  I know one hospital that was given a million dollar fine for being out of compliance with HIPAA.  The stakes are real.