5 Hidden Costs of Data Security and Compliance

Data security is not optional. Organizations owe it to their clients to protect sensitive client data. And market forces in the form of reputation damage, revenue loss and hefty fines (for regulated data) ensure that there is plenty of incentive to do so.

As organizations move to address increasingly sophisticated security threats, they are often caught off guard by the many hidden costs of security and compliance, realizing (too late) that safeguarding data from current and future threats is more resource-intensive than first imagined—and is growing more so with each passing day.

In part 1 of this series, I’ve outlined five hidden costs of security and compliance that organizations often encounter when embarking upon data integration and management projects.

Hidden Cost #1: Not Just CAPEX

Most companies focus on capital expenditure (CAPEX) when deploying or enhancing integration platforms. Organizations typically budget costs for the front end of the project (planning, implementation, hardware, software, etc.), but overlook the fact that new technologies require extensive subject matter expertise to properly operate and maintain. The personnel resources to support a new platform are usually pulled from an existing team to save costs, but it could take months or even years before those resources gain enough training and experience to become proficient with the new technology. This is especially true if the issue of data compliance is at play, which requires an entirely different skill set. Ultimately, to avoid a single point of failure or knowledge drain, organizations eventually find that they need to hire additional resources for redundancy. All of this increases operational expenditure (OPEX); however, ongoing OPEX costs are not typically budgeted for or forecasted in the project.

Hidden Cost #2: “Tacking on” Security

Project management teams tend not to engage security and compliance teams until the latter phases of technology projects, depending on their SDLC frameworks. If these teams discover security or control issues with the implementation too late in the project schedule, the resulting problem is two-fold: (1) the issues may not be fully addressed before production, opening the organization up to risk and (2) it will cost significantly more to remediate those issues post production.

Hidden Cost #3: Continuous Compliance

If the project involves regulated data, independent attestations or certifications are required to show that your organization meets governing compliance standards such as HIPAA or PCI DSS. And while most organizations are prepared for initial certification costs, the costs of maintaining compliance and certifications over the long term are usually vastly underestimated–or overlooked entirely. These costs can be significant as enterprises struggle to keep up with ever-changing regulations and requirements that may demand new investments in technologies and/or expertise.

Hidden Cost #4: Continuous Creep

Similar to continuous compliance, continuous creep is another ongoing cost that organizations typically don’t anticipate. It’s the inevitable expansion—or creep—of an integration project as it grows to accommodate new data types, data sources, trading partners and technologies. And when dealing with sensitive or regulated data, every one of these additions must be accounted for in the overall compliance strategy. Therefore, as the scope of your project increases, so too does the scope of resources required to maintain compliance due to added complexity and/or need for additional controls.

Hidden Cost #5: Opportunity Cost

Perhaps the biggest hidden cost of all is opportunity cost. What innovations will never be made because an organization is focusing its resources on data security, compliance and “keeping the lights on,” rather than enabling new or expanded business capabilities?