2020 IT Compliance
The paradox of compliance spending:
what’s enough for today is not enough for tomorrow
For this survey, we asked respondents to look at a holistic budget that includes spending on staff/training, technology, formal audits, and consulting services. In an environment where concerns about cybersecurity, data privacy, and the pace of regulatory change remain high, it is not surprising that 62 percent of all organizations expect their spending on compliance to increase.
Meanwhile, just under a third of all respondents (31 percent) said their company expects to keep their 2020 compliance spending at the same level as 2019. Seven percent of all respondents said they expect their company to decrease spending on compliance.
If so many organizations feel like they’re already spending the right amount, why are they also planning to spend more next year?
These findings start to make sense when you consider that organizations are worried about a set of threats outside of their immediate control, such as cyberattacks and regulatory changes. In fact, our findings suggest that organizations expect to increase their compliance-related spend and staff (detailed findings in the next section) precisely because they’re worried about such external threats.
We posed the question “Which of the following cause your job to be more stressful?” and asked respondents to select their top three. We found that respondents are more concerned about external risk factors as opposed to internal ones.
In fact, 36 percent of all respondents named cybersecurity as one of their top concerns and 30 percent named data privacy as a top stressor. These external risk factors were chosen at higher rates as stress factors compared to internal risk factors such as leadership’s bad behavior (12 percent), dealing with the demands of the C-suite and the board (14 percent), and lack of support dedicated to IT risks and compliance (19 percent).
Additionally, many organizations have come to realize that compliance and growth are mutually dependent and inextricably linked.
Of those who said they expect compliance spending to increase over the next 12 to 24 months, the top driver for the increase in spending is business expansion. This factor is followed closely by growth in data and increase in the number of applicable regulations. These growth-oriented factors were selected as the #1 or #2 most-important factors at higher rates than other listed reasons such as a deeper understanding of our risks or greater regulatory scrutiny.
GROWTH IN DATA
INCREASE IN NUMBER OF APPLICABLE REGULATIONS
GREATER REGULATORY SCRUTINY
DEEPER UNDERSTANDING OF OUR RISKS
GROWTH IN CLOUD FOOTPRINT
The Costs of Non-Compliance
Twenty-six percent of surveyed organizations said their organization has experienced a compliance lapse (e.g., privacy violation, data breach) within the last three years. These organizations spanned all the way from small organizations (under 250 employees ) to enterprises (2500+ employees). Here’s how much loss they incurred:
The cost of non-compliance correlated positively with company size: bigger organizations reported larger losses at a higher rate than smaller firms.
At a moment when regulatory scrutiny is high and the number of regulations organizations must comply with is growing, putting effective compliance programs in place is more important than ever. In fact, non-compliance penalties and fines can be much lighter when an organization can demonstrate the presence of an effective compliance program.
Cybersecurity, data privacy, and
regulatory compliance frameworks
At this time, there are over a dozen recognized cybersecurity, data privacy, and regulatory compliance frameworks (aka “standards”) in the market. SOC 2, ISO 27001, GDPR, CCPA, HIPAA, and CISQ are some of the more established frameworks in the compliance landscape. We asked respondents to tell us which of the following frameworks their organization currently adheres to or plan to adhere to in the next 12 to 24 months. Here’s what they said:
What’s interesting is that even though many surveyed organizations have implemented various compliance frameworks, most are not using modern tools to manage their compliance processes. In fact, 57 percent of surveyed organizations still use homegrown, ad hoc tools—a combination of spreadsheets, file storage systems (e.g., G-Drive, OneDrive) and emails—to manage their compliance programs (e.g., SOC 2, ISO 27001, GDPR).
These tools do not scale as organizations’ needs evolve, leaving organizations vulnerable to making errors. Additionally, given the cumbersome nature of certain compliance processes, compliance professionals are wasting hours each week on administrative tasks that don’t add value to their organizations.
Is There Too Much Administrative Overhead in Compliance Processes?
We asked compliance professionals to tell us about the tasks they would like to avoid—tasks they deem to be administrative and not-good-use-of-their-time tasks. It turns out that the most despised task is searching through emails to find documents needed to submit to an external auditor. This answer was selected by 57 percent of all respondents.
Searching through emails to find documents needed to submit to auditors.
Filing, storing, and managing compliance documentation.
Training others to assist, complete tasks, or perform administrative tasks.
Finding information needed to meet compliance requirements.
spend more than 10% of their time on administrative activities.
Assuming an eight-hour workday, this means that one person spends a full day of work on unproductive activities every two weeks; this adds up to 26 work days every year.
The real number of days wasted each year on unproductive, administrative activities is likely much higher than 26 days, because some individuals in the survey said they spend up to 30, 40, or even 50 percent of their time on administrative tasks. To put all of this into perspective, let’s use the 26 workdays figure and assume that a compliance professional makes $800 per day (or $100 per hour). This means that over the course of the year, an organization pays a compliance professional $20,800 (26 days times $800) to complete manual, repetitive tasks such as searching through emails to find compliance documents.
A typical mid-size organization with 1000 employees could easily have a compliance team consisting of 10 full-time employees (and this is a conservative estimate). This means the organization would spend $208,000 per year—which is a lot to spend on administrative tasks that don’t move the needle in terms of improved security or compliance.
Download the report
Survey MethodologyThe 2020 IT Compliance Survey gathered 526 responses during November 2019.
We defined organizational sizes for comparison as follows: Small (50 to 249 employees), Mid (250 to 999 employees), Large (1000 to 2499 employees), and Enterprise (2500 or more employees). We excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about IT compliance as respondents from larger organizations. 22 percent of all respondents came from Small organizations. Under half reflect Midsize organizations. Around 120 respondents came from Large or Enterprise organizations.
All respondents came from organizations with U.S.-based headquarters. Organizations with both single and multiple locations were represented.
The top industry represented in the survey is the Technology industry, with 32 percent of total respondents identifying as coming from the tech sector. Other well-represented industries include Manufacturing (14 percent), Financial Services (10 percent) and Retail (8 percent). We had some representation from Healthcare (7 percent), Education (6 percent), and Business Services (6 percent). The remaining respondents came from Government, Advertising, Automotive, Hospitality, Transportation, and Insurance.
The most common job level respondents identified with is the director level (37 percent). Twenty-nine percent of respondents identified as a C-suite executive. Six percent of respondents identified as the CEO/president of their firm. The rest identified as SVP level or Manager level.
Forty-six percent of all respondents identified their primary job function as Information Technology. Twenty-one percent identified as Management. Fourteen percent identified their primary job function as IT Audit/IT compliance; 6 percent selected Information Security. The rest selected other functions including HR Operations, Legal, or Risk Management.
Seventy-five percent of all respondents said they are directly involved in decisions regarding data security and data privacy compliance. Twenty-one percent said they are knowledgeable enough to understand the requirements and needs regarding data security and data privacy for their organization. Just 4 percent of respondents said they are involved in maintaining and managing data security and privacy compliance but do not make decisions regarding either.
Nearly 60 percent of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Twenty-three percent said they are one of the decision-makers within their organization; 15 percent said they are part of a team or committee and 3 percent said they gather information and provide research regarding data security and data privacy compliance.