Compliance Report

2020 IT Compliance Benchmark

How organizations are managing compliance efforts in the face of uncertainty.

Executive Summary

The overarching theme for the 2020 IT Compliance Benchmark Report is centered around the fact that it’s becoming increasingly difficult for organizations to keep up with regulatory changes and maintain a compliance program that provides adequate cover. This year, we find that organizations’ leaders have doubts as to whether they are doing enough to protect their information assets, uphold consumer privacy rights, maintain credibility, and safeguard their brand’s reputation. In fact, 62 percent of all respondents said their organization is planning to increase spending on compliance in the next 12 to 24 months, and that increase is far from trivial. There’s an updated report available here: 2024 IT Risk and Compliance Benchmark Report

62% of all organizations plan to increase spending on compliance in the next 12 to 24 months.

21% of all respondents expect their 2020 compliance budget to increase between 25 to 50 percent YOY.

66% of all organizations plan to hire additional full-time staff to support the compliance function.

Cybersecurity was selected most often as the #1 factor that makes compliance professionals’ jobs more stressful.

38% of all organizations cited business expansion as a top factor driving their compliance spend increase.

35% of all organizations cited growth in data as a top factor driving their compliance spend increase.

The paradox of compliance spending:
What’s enough for today is not enough for tomorrow

For this survey, we asked respondents to look at a holistic budget that includes spending on staff/training, technology, formal audits, and consulting services. In an environment where concerns about cybersecurity, data privacy, and the pace of regulatory change remain high, it is not surprising that 62 percent of all organizations expect their spending on compliance to increase.

Meanwhile, just under a third of all respondents (31 percent) said their company expects to keep their 2020 compliance spending at the same level as 2019. Seven percent of all respondents said they expect their company to decrease spending on compliance.

In the next 12 to 24 months, which of the following “actually” represents what your company expects or plans to do regarding compliance-related spending?

What’s paradoxical is that even though most respondents (62 percent) expect their compliance budget to increase year over year, the vast majority (81 percent) also stated they personally “feel they’re currently spending enough/the right amount on compliance.”

of respondents that said they personally feel that their organization is spending the right amount today.

of respondents that said their organization plans to increase compliance spending YOY.

If so many organizations feel like they’re already spending the right amount, why are they also planning to spend more next year?

These findings start to make sense when you consider that organizations are worried about a set of threats outside of their immediate control, such as cyberattacks and regulatory changes. In fact, our findings suggest that organizations expect to increase their compliance-related spend and staff (detailed findings in the next section) precisely because they’re worried about such external threats.

We posed the question “Which of the following cause your job to be more stressful?” and asked respondents to select their top three. We found that respondents are more concerned about external risk factors as opposed to internal ones.

In fact, 36 percent of all respondents named cybersecurity as one of their top concerns and 30 percent named data privacy as a top stressor. These external risk factors were chosen at higher rates as stress factors compared to internal risk factors such as leadership’s bad behavior (12 percent), dealing with the demands of the C-suite and the board (14 percent), and lack of support dedicated to IT risks and compliance (19 percent).

Additionally, many organizations have come to realize that compliance and growth are mutually dependent and inextricably linked.

Of those who said they expect compliance spending to increase over the next 12 to 24 months, the top driver for the increase in spending is business expansion. This factor is followed closely by growth in data and increase in the number of applicable regulations. These growth-oriented factors were selected as the #1 or #2 most-important factors at higher rates than other listed reasons such as a deeper understanding of our risks or greater regulatory scrutiny.

You stated you expect to increase the amount you spend on compliance. What are the top factors driving your compliance spend increase? Rank in order of importance:

38%
BUSINESS EXPANSION

307 respondents

35%
GROWTH IN DATA

311 respondents

34%
INCREASE IN NUMBER OF APPLICABLE REGULATIONS

307 respondents

31%
GREATER REGULATORY SCRUTINY

305 respondents

26%
DEEPER UNDERSTANDING OF OUR RISKS

303 respondents

23%
GROWTH IN CLOUD FOOTPRINT

304 respondents

23%
REGULATORY VOLATILITY

306 respondents

The Costs of Non-Compliance

Twenty-six percent of surveyed organizations said their organization has experienced a compliance lapse (e.g., privacy violation, data breach) within the last three years. These organizations spanned all the way from small organizations (under 250 employees ) to enterprises (2500+ employees). Here’s how much loss they incurred:

of respondents said they lost an amount between $100,000 to $1 million.

said they lost an amount between $1 and $5 million as a result of the non-compliance incident.

of respondents said they lost an amount between $5 and $20 million.

said the incident cost their company more than $20 million.

The cost of non-compliance correlated positively with company size: bigger organizations reported larger losses at a higher rate than smaller firms.

How much did your organization incur as a result of this incident? Examples of non-compliance costs include business disruption, productivity loss, revenue loss, fines & penalties:

Cybersecurity, data privacy, and regulatory compliance frameworks

At this time, there are over a dozen recognized cybersecurity, data privacy, and regulatory compliance frameworks (aka “standards”) in the market. SOC 2, ISO 27001, GDPR, CCPA, HIPAA, and CISQ are some of the more established frameworks in the compliance landscape. We asked respondents to tell us which of the following frameworks their organization currently adheres to or plan to adhere to in the next 12 to 24 months. Here’s what they said:

Which cybersecurity and/or data privacy compliance frameworks does your organization adhere to or plan to adhere to in the next 12 to 24 months?

What’s interesting is that even though many surveyed organizations have implemented various compliance frameworks, most are not using modern tools to manage their compliance processes. In fact, 57 percent of surveyed organizations still use homegrown, ad hoc tools—a combination of spreadsheets, file storage systems (e.g., G-Drive, OneDrive) and emails—to manage their compliance programs (e.g., SOC 2, ISO 27001, GDPR).

These tools do not scale as organizations’ needs evolve, leaving organizations vulnerable to making errors. Additionally, given the cumbersome nature of certain compliance processes, compliance professionals are wasting hours each week on administrative tasks that don’t add value to their organizations.

Is There Too Much Administrative Overhead in Compliance Processes?

We asked compliance professionals to tell us about the tasks they would like to avoid—tasks they deem to be administrative and not-good-use-of-their-time tasks. It turns out that the most despised task is searching through emails to find documents needed to submit to an external auditor. This answer was selected by 57 percent of all respondents.

Top time-wasting activities:

57%
Searching through emails to find documents needed to submit to auditors.

41%
Filing, storing, and managing compliance documentation.

41%
Training others to assist, complete tasks, or perform administrative tasks.

40%
Finding information needed to meet compliance requirements.

40%
Meetings.

>70%
spend more than 10% of their time on administrative activities.

Over 70 percent of all respondents said they spend more than 10 percent of their time on administrative activities

Assuming an eight-hour workday, this means that one person spends a full day of work on unproductive activities every two weeks; this adds up to 26 work days every year.

The real number of days wasted each year on unproductive, administrative activities is likely much higher than 26 days, because some individuals in the survey said they spend up to 30, 40, or even 50 percent of their time on administrative tasks. To put all of this into perspective, let’s use the 26 workdays figure and assume that a compliance professional makes $800 per day (or $100 per hour). This means that over the course of the year, an organization pays a compliance professional $20,800 (26 days times $800) to complete manual, repetitive tasks such as searching through emails to find compliance documents.

A typical mid-size organization with 1000 employees could easily have a compliance team consisting of 10 full-time employees (and this is a conservative estimate). This means the organization would spend $208,000 per year—which is a lot to spend on administrative tasks that don’t move the needle in terms of improved security or compliance.

2020 IT Compliance Benchmark

2020 IT Compliance Benchmark

Download the Report

Survey Methodology

The 2020 IT Compliance Survey gathered 526 responses during November 2019.

Organization Size

We defined organizational sizes for comparison as follows: Small (50 to 249 employees), Mid (250 to 999 employees), Large (1000 to 2499 employees), and Enterprise (2500 or more employees). We excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about IT compliance as respondents from larger organizations. 22 percent of all respondents came from Small organizations. Under half reflect Midsize organizations. Around 120 respondents came from Large or Enterprise organizations.

Location

All respondents came from organizations with U.S.-based headquarters. Organizations with both single and multiple locations were represented.

Industry

The top industry represented in the survey is the Technology industry, with 32 percent of total respondents identifying as coming from the tech sector. Other well-represented industries include Manufacturing (14 percent), Financial Services (10 percent) and Retail (8 percent). We had some representation from Healthcare (7 percent), Education (6 percent), and Business Services (6 percent). The remaining respondents came from Government, Advertising, Automotive, Hospitality, Transportation, and Insurance.

Job Level

The most common job level respondents identified with is the director level (37 percent). Twenty-nine percent of respondents identified as a C-suite executive. Six percent of respondents identified as the CEO/president of their firm. The rest identified as SVP level or Manager level.

Job Function

Forty-six percent of all respondents identified their primary job function as Information Technology. Twenty-one percent identified as Management. Fourteen percent identified their primary job function as IT Audit/IT compliance; 6 percent selected Information Security. The rest selected other functions including HR Operations, Legal, or Risk Management.

Decision-making regarding data security and data privacy compliance

Seventy-five percent of all respondents said they are directly involved in decisions regarding data security and data privacy compliance. Twenty-one percent said they are knowledgeable enough to understand the requirements and needs regarding data security and data privacy for their organization. Just 4 percent of respondents said they are involved in maintaining and managing data security and privacy compliance but do not make decisions regarding either.

Roles in security, privacy and compliance

Nearly 60 percent of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Twenty-three percent said they are one of the decision-makers within their organization; 15 percent said they are part of a team or committee and 3 percent said they gather information and provide research regarding data security and data privacy compliance.