Benefits and cost savings of compliant security controls
What are the benefits or cost savings of implementing security controls that are compliant with regulatory information security compliance requirements during the SDLC versus after an application is already in production or worse, after public disclosure of a security control (or lack thereof) breach? Finding published cost/benefit analysis on this has been fruitless so far.
I wish there were a canonical body of literature and statistical study to address what you're asking about directly. The best I can do is to tell you what I do to track this kind of information and suggest you do likewise -- namely, visit your favorite search engine and search on things like "ROI from compliance," "benefits of regulatory compliance," and so forth. I've found lots of interesting articles and reports, but mostly anecdotal, that address these topics (including, for example, Gary Milefsky's nice piece "Benefits of Regulatory Self-assessments"
right from SearchCIO.com).
Conventional wisdom argues that prevention is better than cure, and that later cure costs more than earlier cure, so again this supports the notion that implementing earlier should offer better pay-offs than implementing later but I am neither aware of nor can find any studies to prove or disprove this common-sense hypothesis.
This is a very interesting area, in the sense of the Chinese curse, and one that could certainly use more study, so that we could all benefit from the results.
This was first published in October 2006