Security compliance – a carrot or a stick?


Be honest, we’ve all asked this at some point. Perhaps complying with a particular regulation has meant you couldn’t do something as quickly as you wanted to, or in the way you wanted to do it. Maybe you see it as a distraction, a hoop to jump through in order to achieve the real goal, or you perceive it as nothing more than a box ticking exercise.

Like many things, it depends on your perspective. Compliance is no different – yes it takes work to achieve and is sometimes used as a “stick” to punish undesirable behaviour, but the “carrots” it can bring to your business are numerous, some even transformational. Here are our top five reasons why security compliance is a good thing and the benefits it brings:

1. It opens doors and opportunities

One of the biggest “carrots” has got to be the opportunities compliance opens for your organisation. The points below look at the external “carrots” but clearly there will be internal ones as well. Operating in accordance with security compliance standards opens many avenues that were previously closed or restricted, these include:

  • Access to new markets and customers: a number of regulated markets such as financial, government, etc. require certain standards to be met both within their own organisation and within the suppliers they use. By meeting their compliance requirements, it will open doors to organisations that previously were very difficult to access or out of reach.
  • Increased access to increased financial investment. Adhering to information security standards demonstrates to external organisations that you take the protection of your online and information assets seriously. It shows you have controls in place to boost your resilience against the disruption caused by cyber attacks and data breaches. This makes your organisation more attractive to investors, shareholders and financial institutions, which leads to improved access to investments and money.
  • Increases your organisation’s value / worth: Linked to the increased investment potential, by effectively managing one of the biggest threats to a company’s ability to operate, you can increase the value of the company. This manifests itself in the share price and net worth of the company. Both of which are key for mergers and acquisitions.

2. Protects your business reputation

Cyber attacks and data breaches are increasingly common, and we typically become aware of them through the media. The frequency of these events has desensitised us to their occurrence, and it has changed our focus. In part due this is due to increased legislation (such as the GDPR) and how companies are seen to handle incidents including the remediation and communication to affected parties.

These incidents can harm a company’s reputation, undermine trust between the organisation and its customers, and send the message that the company is untrustworthy and does not take appropriate steps to protect the privacy and security of its customers, clients and employees.

The direct costs for manging and remediating such incidents can be massive and are typically compounded by industry fines such as those imposed under the GDPR. The indirect consequences are not always as tangible or clear. In the immediate aftermath, companies have to notify customers and suppliers about the breach and minimise collateral damage resulting from the incident. Typical knock-on effects from these incidents include:

  • Loss of business from existing customers
  • New prospects becoming harder to find
  • Reduced opportunities for external investment
  • Damage to company value

You can view this in two ways – as the “stick” of possible outcomes you are trying to avoid, or as the “carrot” of benefits you want to achieve as a consequence of best practice data security compliance:

  • Reducing financial and operational risk
  • Being better prepared to act and manage incidents when they do occur
  • Minimising an incident’s impact on retaining / expanding existing business and securing future business opportunities

3. Reduces the risk of a fine!

Lawmakers and regulatory bodies are progressively imposing legislation that protects the security and privacy of personal data collected by organisations. Breaches of these laws and regulations can lead to severe fines and penalties.

Common pieces of legislation that companies are obliged to adhere to include the GDPR and PCI DSS, but industry bodies are also mandating good security compliance and governance, such as the FCA, RICS and the Regulator of Social Housing.

Organisations that embrace good security compliance will reduce their exposure to the risk of data breaches and industry fines. Examples of good security compliance include securing the data they collect (both in transit and rest) and operating good data governance including ensuring they only hold data they require.

To avoid the “stick” of costly fines and penalties, organisations must comply with security compliance standards in addition to regulations that apply to their specific industry.

4. Enhances your insights and operations (and reduces costs!)

When organisations embrace security compliance through processes, tools and software, it often exposes inefficiencies within their business such as poorly managed personnel, assets, or other resources that can be redeployed to enhance business operational efficiency.

For example, a company auditing the data they collect on customers to comply with the GDPR may find that only a portion of their customers have consented to their data being collected. Furthermore, they discover that some of the data they are collecting is not required – or worse – are permitted to have.

By removing the data they don’t need or have consent for, not only will that support GDPR compliance, the organisation may also be able to reduce its data storage costs. This process might also deliver insights into the profile and behaviours of their customers, which could in turn inform their marketing strategy.

By deploying security management solutions and frameworks to achieve good security compliance, many companies find that they also gain insights into people, processes, and applications -highlighting inadequately managed or poorly configured areas of the business. Changes to these areas could improve customer experience and or business operations, potentially reducing costs and driving more revenue.

5. Enhances company culture and accountability

Organisations that embrace good security compliance measures have the opportunity to enhance their corporate culture, enabling them to exceed compliance standards and regulations, show industry leadership and gain a competitive edge.

By implementing a security first culture the organisation’s external identity is enhanced by promoting organisation as one that:

  • Does the right thing
  • Takes security seriously
  • Invests in the security and privacy of employees and customers
  • Sees data governance and security as a matter of pride and trust, not a legal obligation or a tick box exercise

Good security culture also helps with accountability, security monitoring and managing sensitive data, applications and systems. Security compliance ensures that only individuals with the appropriate credentials can access secure systems and databases that contain sensitive customer data.

Organisations that implement security monitoring systems must ensure that access to those systems is monitored at an organisational level, and that actions within the systems are logged such that they can be traced to their origin.

With news of organisations having to report data breaches to their customers becoming almost a daily occurrence, you’d be forgiven for thinking that customers and employees alike have lost trust and become suspicious of organisations. Organisations have a choice:

  • Be seen as untrustworthy or opaque with how they manage and treat employees and customer data, or;
  • Actively promote good data governance and security, gaining loyalty from employees and customers and engendering a collective sense of pride as they take the appropriate steps to protect employee, corporate and customer data.

Once imbedded, a security culture translates into better internal compliance and stronger adherence to company policies, ultimately further supporting data security and limiting organisational risk.

Starting your compliance journey?

You’ve read about a number of “sticks” and “carrots” around implementing good security compliance – what is your stance?

Regardless of your perspective, cyber attacks and data breaches are very much a fact of business life.

Which means that organisations don’t have the luxury of ignoring them for very long without being hit by a “stick”.

If you would like to discuss your security compliance journey or need help responding to a cyber attack or personal data breach, norm is here to help take away the drama and hassle, allowing you to focus on what your business does best.

Contact norm. via email, our hotline: 020 3855 5303 or our online chat.

Further reading:

Accountability Framework: How to demonstrate compliance

Peter prouse

Written by Peter Prouse
Peter Prouse is a Business Development Manager at NormCyber and is responsible for driving awareness and engagement with corporate clients. He has worked in the technology industry for over 20 years in a variety of Technical Architect and Procurement / Technology Consultant roles