HypeRproof Presents
the 5th annual

2024 IT Risk and Compliance Benchmark Report

CHARTING THE GOVERNANCE, RISK, AND COMPLIANCE UNIVERSE

Hyperproof’s fifth annual benchmark survey is here! Each year, we ask over 1,000 IT and GRC professionals about their priorities for the coming year and operational aspects, like budget changes, staffing, challenges, and much more. 

The survey also dives deep into the market’s current state and outlines trends and best practices based on how top teams respond to the ever-changing risk and compliance operations landscape. After diving into the data, one thing became clear. As companies push for greater efficiency and transparency, security and risk teams are asked to consolidate their tech stacks and processes.

The question is: which team’s priorities will take precedence?

Check out a few of our key findings below, and then download the full report to access all of our insights.

2024 IT Risk and Compliance Benchmark Report

Top Findings In Numbers

experienced a data breach in the last 24 months
expect to spend more money on IT risk in 2024
view AI strategy for their teams’ operations as important or very important
expect to spend more time on IT risk in 2024
of respondents struggle with identifying critical risks to prioritize remediations
have aligned their risk and compliance activities
have a centralized GRC program
manage IT risks in siloed departments, processes, or tools
Chapter 1

Navigating Tomorrow, Unifying Today:

Integrating Risk and Compliance

Data silos between risk management and compliance operations are reducing, but those still operating in silos are more likely to experience a breach.

Respondents are moving toward unifying risk and compliance management operations. This trend shows a push toward a more unified approach to GRC, where collaboration and having a complete, transparent view of an organization’s risk is the priority. It also emphasizes that GRC solutions need to raise the bar on their product offerings to satisfy the needs of teams across the organization beyond typical GRC stakeholders.

Key Insights

manage IT risks in siloed departments, processes, or tools vs. 31% in 2023
who have not connected risk and compliance activities experienced a supply chain disruption in the last 24 months
operating in data silos experienced a breach in the last 24 months

Managing Risk

Describe your organization’s approach to managing risk:

Graphic - Describe your organization’s approach to managing risk

Breaches Experienced

Has your organization experienced a breach in the last 24 months?

Graphic - Has your organization experienced a breach in the last 24 months?

Why This Matters

Those who manage risk and compliance in silos are more likely to experience breaches.

Only 18% of respondents have successfully tied together risk and compliance activities, revealing a persistent challenge reminiscent of last year’s report: the confidence to address risk did not align with the efficacy of risk management processes.

Chapter 2

The Artificial Intelligence Paradox:

AI’s Dual Role in GRC

AI technologies are both enabling more sophisticated cyber attacks and helping defend against them.

It’s no surprise that AI in cybersecurity presents a complex duality: AI simultaneously introduces new business risks while streamlining workflows for GRC professionals and helping them stay abreast of innovative new cyberattacks. The data underscores this nuanced reality. Details below:

Key Insights

leverage AI to streamline recommending relevant controls for frameworks
utilize AI to assist in reviewing documentation
are concerned about the business risks associated with generative AI

Leveraging AI

Are you using AI to streamline any of the following workflows?

Respondents who answered yes use AI in the following ways:

Graphic - Are you using AI to streamline any of the following workflows

Concern with AI

Coming into 2024, how concerned are you about the business risks associated with generative AI?

Graphic - Concerns with AI

Why This Matters

Walking the tightrope of using AI in cybersecurity is a difficult task that requires nuance.

This high level of concern indicates the industry’s acknowledgment of the complexities and potential risks of AI adoption. Organizations need to stay ahead of the latest advancements in AI to make informed decisions and leverage its transformative capabilities while keeping AI misuse top-of-mind. It all comes down to adopting AI technologies responsibly and judiciously, which requires continuous awareness, education, and a commitment to ongoing research.

Ready to learn more?

Download the full report.

2024 IT Risk and Compliance Benchmark Report
Chapter 3

New Frontiers:

Mapping the Risk Landscape

Data breaches — and their business impacts — are on the rise.

Data breaches rose by 40% year-over-year, and as a result, respondents are dedicating more time to managing risks, which increases tedious manual work. Respondents are taking steps to reduce the stress and work it takes to mitigate risks, but they are being asked to do more with less. To keep up, organizations must proactively invest in cybersecurity measures, fine-tune risk management strategies, and maintain unwavering vigilance against the evolving landscape of cyber threats. Collaborating between cybersecurity and GRC professionals is also more crucial than ever, forming the cornerstone for building a resilient and secure business environment.

Key Insights

experienced a data breach within the last 24 months
spend 30% or more of their time on manual processes

Breaches Experienced

Has your organization experienced a breach in the last 24 months?

Has your organization experienced a breach in the last 24 months?

Meeting Objectives

Does your ability to identify and assess risks meet your company’s objectives?

By approach to risk management

Does your ability to identify and assess risks meet your company's objectives? vs approach to risk management

Why This Matters

The vast majority of surveyed organizations have committed to managing their IT risks in a formal, disciplined approach.

This emphasis on eliminating tedious, manual processes aligns with the conclusions of our past and present reports, demonstrating the shift in the market to adopt such technologies to ensure a more streamlined risk and compliance experience for their teams.

Chapter 4

Understanding Third-Party Risks in Orbit

Investment in third–party risk is continuing to grow.

As businesses continue to grow, their third-party footprint does as well. The manual work only multiplies, making it more difficult for GRC and IT professionals to identify and mitigate third-party risks. Our survey data revealed that larger companies are more impacted by third-party risks. Respondents with revenue of over $100M were more likely to experience a third-party data or privacy breach than those with revenue under $100M. Additionally, most respondents still use tools like ticketing and task management systems to manage third-party risk, but the industry is slowly shifting toward integrated solutions.

Key Insights

of all surveyed experienced (or are expecting) a third-party risk audit finding
of respondents with revenues over $100M experienced a third-party breach
manage third-party risk by using dedicated IT vendor risk management solutions

Third-Party Events

Has your organization been impacted by any of the following events in the past year?

Has your organization been impacted by any of the following events in the past year?

Audit Findings

Have you experienced (or are you expecting) an audit finding related to third-party risk management you cannot promptly resolve?

Have you experienced (or are you expecting) an audit finding you cannot promptly resolve related to third-party risk management?

Why This Matters

Understanding first-party and third-party risks is a complex task that cannot be conducted manually at scale.

The significance of efficient compliance operations is now considered a brand differentiator, heightening the importance of GRC and the ability to guarantee adherence to regulatory standards, especially for large enterprises. Due to budget consolidations and increased calls for efficiency, respondents are less happy using point solutions: they want a platform that includes vendor risk management but also connects to all of their other GRC work.

Ready to learn more?

Download the full report.

2024 IT Risk and Compliance Benchmark Report
Chapter 5

The Time and Budget Chronicles

Optimism for sufficient resourcing is disconnected from economic drivers.

Last year, respondents expected increases in headcount, budgets, and cross-functional resources. However, macroeconomic pressure and a focus on efficiency changed the budgeting landscape across departments, and resources declined as the year progressed. Surprisingly, most respondents expect to spend more money on IT risk management in 2024, but this may not be true. Budgets might decrease due to various factors, including shifting organizational priorities and consolidating risk and compliance management. This is causing IT and risk teams — especially those at larger organizations — to look for insights from their tech stack that showcase how their work relates to unlocking higher-level company objectives.

Key Insights

estimated average budget increase in 2024
expect to spend more time on IT risk management in 2024
of budgets consumed by risk management

2024 Spending

Do you anticipate your organization will spend more, less, or about the same amount of money on IT risk management and compliance in 2024 vs. 2023?

Do your anticipate your organization will spend more, less, or about the same amount of money on IT risk management and compliance in 2024 vs 2023?

2024 Time Investment

Do you anticipate your organization will spend more, less, or about the same amount of time on IT risk management and compliance in 2024 vs. 2023?

Do your anticipate your organization will spend more, less, or about the same amount of time on IT risk management and compliance in 2024 vs 2023?

Spend Allocation

Average anticipated spend allocation:

Average anticipated spend allocation

Why This Matters

Several highly publicized breaches in 2023 have made business operations more challenging for both B2B and B2C companies.

Proactive businesses are not only maintaining their existing cybersecurity attestations (like SOC 2 and ISO 27001) but expanding the number of external validations to demonstrate their trustworthiness. This trajectory reflects how much time and focus companies dedicate to strategic risk and compliance management, especially as regulatory scrutiny increases yearly. Most organizations are allocating funds toward risk management in 2024, further emphasizing the growing importance of managing risks and the need for transparency across organizations to communicate risk to stakeholders.

Chapter 6

Decision Makers in the GRC Nebula

Decision-making is becoming more collaborative among companies with integrated risk and compliance practices.

Overall, this year’s survey results showed that the trend of distributed decision-making regarding buying technology persists. The survey data revealed that whether or not companies have integrated their risk and compliance efforts impact their strategies.

Those in the cohort who manage risk ad-hoc or when a negative event happens and who manage risk in siloed departments or tools are more likely to be the sole decision-makers for cybersecurity and risk management decisions. Those who have integrated tools are more collaborative with their decision-making.

Key Insights

say that IT- and GRC-related titles play the role of champion when evaluating new technology solutions
refer to their CFO as the financial approver of evaluating new solutions
managing IT risk ad-hoc are the sole decision-makers regarding risk management and cybersecurity at their organizations

Buying GRC Technology

Who are the financial decision-makers involved when buying compliance or risk technology?

Who are the financial decision makers involved when buying compliance or risk technology?

Decision Makers

What best describes your involvement in decisions regarding cybersecurity and risk management decisions for your organization?

What best describes your involvement in decisions regarding cybersecurity and risk management for your organization?

Why This Matters

More stakeholders are getting involved with the technology buying processes.

As the number of stakeholders involved in buying new tech solutions increases, it is increasingly important that IT and GRC professionals understand how to convey their needs in alignment with strategic company objectives. If that alignment is not clear, new tech purchases often become easy cost-cutting targets at the executive level.

Get your Copy Today

Download the full report and unlock key information from the GRC industry.

2024 IT Risk and Compliance Benchmark Report

CHARTING THE GOVERNANCE, RISK, AND COMPLIANCE UNIVERSE
Get Your Copy Today