Compliance budgets are high on the agenda of every CISO and CIO. New regulations to comply with, new environments to audit, and new requirements to support are expensive line items. However, unintuitive as it may sound, many organizations are actually doing more than they need regarding compliance. Some call it overcompliance, and it is an emerging concern among many companies, calling for closer examination.
Compliance is hard. Companies working to comply are facing a wide range of requirements introduced frequently. To keep up, they are pushed to manage many tools, dynamic and changing infrastructure, and applications. This includes, among other responsibilities, staying on top of security testing, patching, user management, logging, and third-party vendor management. From a user perspective, these highly regulated environments are more restrictive and tend to be less comfortable to freely work in. So, what makes companies overspend on compliance?
For many companies, overcompliance doesn't happen overnight. Consider, for example, one of our customers, a financial institution. "When we first started our business, we made the strategic decision to scope our entire production environment," says the CIO. "With a small overhead at the time, it made sense to keep all the systems in scope." But fast forward 10 years and that production environment, which was already hosting many out-of-scope systems, now had more than 60% of its servers unnecessarily "burdened" with software licenses, authentication controls, and auditing hours required for compliance. He estimated this "overcompliance" cost the company hundreds of thousands of dollars annually.
The key to a successful audit is scope. One of the biggest mistakes we see companies make is to start applying compliance control without truly understanding what should be considered ..
Support the originator by clicking the read the rest link below.
