The world of regulatory compliance is always evolving, with requirements constantly multiplying. At the same time, many IT departments are seeing their budgets frozen or cut, presenting significant challenges in terms of managing GRC processes and maintaining data security. With manual, spreadsheet-based processes still common in the enterprise, it is becoming increasingly difficult for businesses to have an overview of their various compliance requirements and ensure that they continue to meet standards.
Earlier this year we conducted a survey of 130 IT and security professionals based in the UK. Respondents came from companies of various sizes and from a wide range of industry sectors, with all of them having responsibility for governance and compliance. They worked for companies ranging in size from less than 10 UK employees to more than 5000, and in a variety of sectors including technology, government, banking and energy.
The aim of the survey was to gather data on current trends and attitudes in risk and compliance, covering issues such as budgets, data breaches, the most common standards that businesses have to meet, the priority that management places on risk and compliance and the systems organisations have in place. Let’s take a look at the key findings.
A high priority with restricted budgets
The survey participants were asked to rate the priority that their IT department and senior management place on risk and compliance from 0 to 10, with 0 being least critical and 10 being most critical. 72 per cent gave their IT department a score of 7 or above, with the figure only slightly less (70 per cent) for senior management. Around a quarter of respondents awarded full marks.
But despite it being seen as a high priority, it seems that this is not being reflected in organisations’ budgets for compliance activity. Respondents were asked how the budget had changed over the past 12 months, and 53 per cent said that it had decreased or remained the same. A further 16 per cent did not know, leaving only 31 per cent who had seen their compliance budgets increase over the last year.
This illustrates a major pain point that exists in many organisations, that while their compliance burden is growing they are being asked to do more with less. This is creating a knock on effect for IT teams, causing many to resort to rudimentary methods to monitor risk and compliance, which simply aren’t as effective.
Manual processes remain prevalent
This is perhaps most obvious when looking at the processes organisations rely on for managing their compliance. We asked respondents questions regarding the systems that their organisation had in place for compliance and risk management. 39 per cent said their organisation had a manual, spreadsheet-based process for risk management, while 37 per cent had a similar process for compliance management. A further 22 per cent said that their organisation had no system in place for risk management, or did not know, which rose to 28 per cent for compliance management.
19 per cent of those surveyed admitted that their organisation does not carry out an annual risk assessment of IT, and a further 3 per cent did not know. Interestingly, 61 per cent of them also had no system in place for compliance management, while half did not have a system for risk management.
These challenges can be quickly overcome by automating processes. This makes it easier for companies to get a clear view of their compliance and risk profile from a business perspective, helping to minimise their exposure to risks while saving IT teams both time and costs. This quickly realises key strategic and operational benefits, and provides a solid foundation for future business planning.
The security threat
Cyber-attacks present a growing threat to all types of organisations. The survey participants were asked if their organisation had suffered a security incident that had led to a data breach in the past 12 months, with the results showing that over a quarter (27 per cent) had. There was also a correlation between those who had experienced data breaches and the types of processes they have in place, with 55 per cent of them having manual processes for risk management and 48 per cent having manual compliance management systems. The most common type of breach was an accidental internal breach, followed by a malware infection.
The growing compliance burden
Business compliance requirements are growing, and it is becoming progressively more challenging for organisations to have an overview of their risk and compliance status across the business – especially when they are relying on manual, paper-based processes to do so.
The results of the survey highlight the breadth of compliance requirements that organisations currently face. Only 31 per cent of respondents had no or only one compliance standard that they must meet, while 9 per cent had more than three. The most common compliance standards identified were ISO 27000 (49 per cent), PCI (39 per cent) and ISO 9000 (20 per cent).
With IT departments seeing their compliance budgets cut in real terms, businesses run the risk of falling short of compliance standards, incurring penalties and even suffering data loss incidents. Until organisations start to provide IT teams with budgets that match the priority of risk and compliance within the business, they will face an increasingly difficult battle to remain compliant, reduce risk and stay breach-free.
Richard Hibbert, co-founder and CEO, SureCloud
Image Credit: Shutterstock/Tom Wang