Compliance Report

2021 IT Compliance Benchmark Report

Comprehensive benchmarks on how technology companies are managing IT risks and IT compliance efforts during this extraordinary time in global history.

2021 IT Benchmark

What’s Covered in the Report

In December 2020, Hyperproof surveyed 1,029 cybersecurity, security assurance/compliance, and IT decision-makers within the technology industry. The survey report examines IT security and compliance decision-makers’ attitudes towards the current cyber risk landscape and companies’ budget, staffing, and technology purchase plans for 2021 to manage IT risks and fulfill compliance obligations. It highlights organizations’ day-to-day practices in the realms of compliance operations, vendor risk management, and IT risk management.

Given that the technology industry is not a monolithic group, we examined the results by segments –company size, company revenue, location, and several others — and called out areas where there are significant differences between segments. Additionally, we analyzed what leading organizations — those who are better at achieving organizational objectives and avoiding security lapses and compliance violations than the average organization — do differently than the rest of the pack.

Top Findings In Numbers

54% Graph

54% of respondents anticipate spending more money in 2021 on IT risk management and compliance.

25% 50% Graph

The most typical increase in spending year-over-year is between 25% and 50%.

Anticipated regulatory change

is the #1 factor respondents cited when asked why they plan to increase their IT compliance budget in 2021.

86% Graph

86% of U.S. respondents are preparing for the potential passage of a federal data privacy and security law in the U.S. in the next few years and have factored this into their 2021 IT compliance budget.

61% Graph

61% of all respondents have experienced at least one security incident or compliance lapse in the last three years.

35% Graph

35% of all respondents – the biggest group – said that their organization manages IT risk in an ad-hoc fashion, only when a negative event happens.

Less than 35% Graph

When it comes to the execution of security assurance/compliance tasks, half of the respondents said they spend 50% or more of their work time on low-level administrative tasks.

70% Graph

70% of all respondents reported that their organizations have dedicated tools for managing IT compliance efforts.

83% Graph

83% of all respondents plan to evaluate/purchase new tools to streamline and automate their risk management and compliance processes in 2021.

Budgets for IT Risk and Compliance Management Will Grow For the Majority of Tech Companies in 2021

COVID-19 shook the global economy, and its negative impacts on businesses have been significant. There’s been much speculation on whether risk management and compliance programs are at risk of budget cuts as CFOs try to find ways to preserve cash and runway.

In this survey, we found that tech companies’ IT security and compliance budget is generally immune to the economic impacts of COVID-19. Tech companies tend to view their IT risk and compliance functions as strategic functions that deserve an appropriate level of support and resources. Over half (54%) of all survey respondents said they anticipate increasing their spending on IT risk management and compliance in 2021 , and 18% of all respondents plan to increase spending significantly.

Meanwhile, 30% plan to keep 2021 spending at the same level as last year, and just 5% of respondents reported they plan to make a significant cut on IT risk and compliance management spend.

Heading into 2021, do you anticipate that your organization will spend more, less or about the same amount of money on IT risk management and compliance overall?

Additionally, almost all survey respondents (99%) plan to increase their compliance budget in 2021—and 60% of respondents plan to increase their budget by at least 25% year over year. In fact, nearly one out of five respondents (18%) plan to increase their compliance budget somewhere between 50% and 100% year over year.

What is the expected or planned increase in your compliance budget in the next 12 to 24 months?

Regulatory Change Is Top of Mind For Tech Companies

We asked respondents to tell us the top factors driving their IT risk/compliance spending increases. They had to stack rank the following factors in order of importance: 1) Changes to regulations (regulatory volatility); 2) Increase in number of applicable regulations; 3) Greater regulatory scrutiny/enforcement; 4) Growth in cloud footprint; 5) Business expansion/customers’ need for assurance; 6) Growth in number of third-parties that touch corporate/customer data; and 7) Deeper understanding of our risks.

In the survey, we found that concerns about regulatory change were the dominant driver for increasing compliance budgets. In fact, just under half of all respondents (47%) selected “changes to regulations” as their #1 or #2 top factors. Concerns about “the increase in the number of applicable regulations” were also high among this crowd: 37% of all respondents selected this answer as their #1 or #2 top factors.

What are the top factors driving your IT risk/compliance spend increase?

Other factors—growth in cloud footprint, business expansion, and growth in the number of third parties—didn’t factor as prominently into organizations’ 2021 compliance budgets.

Throughout 2020, we’ve tracked developments on the data privacy regulation front in the U.S. In the past couple of years, members of Congress have put forth a number of national privacy bills, and there are signs showing that the next term of Congress may pass a national privacy and security law that mirrors the EU’s General Data Protection Regulation or the California Consumer Privacy Act. In this survey, we asked respondents “Are you factoring the potential passage of a federal data privacy and security law into your 2021 IT risk management budget?” We found that 86% of all U.S. respondents are factoring this development into next year’s budget. 69% of U.K. respondents also factored this into their budget.

Most Companies Want to Take a More a Disciplined Approach to IT Risk Management and Compliance Operations

In addition to budget increases, we saw several other signs that the surveyed organizations are taking the management of IT risks and compliance quite seriously. For instance, over 92% of respondents reported using a risk management standard/framework, such as ones developed by NIST and ISO; over 78% of respondents said their organizations have identified clear roles, responsibilities, and owners for various risks, and 71% say their organization conducts risk assessments on a regular cadence.

Meanwhile, 70% of all surveyed respondents reported that their organizations have already purchased dedicated tools for managing IT compliance efforts; over half have dedicated tools to keep track of their risks and 58% also have software specifically for vendor risk management.

The Operations Gap: Most Organizations Struggle to Execute Numerous Critical IT Compliance Tasks

Although most surveyed organizations understand what “good” looks like in theory in terms of IT risk management and security assurance, most also struggle to operationalize important risk management activities day-to-day.

When we asked respondents to select the statement that best reflects how their organization manages IT risks day to day, the biggest group—35% of all respondents—reported that they manage IT risk in an ad hoc way, only when a negative event happens. Another 28% reported that IT risks are managed in siloed departments, processes, and tools.

Which of the following statements is the closest reflection of how your organization manages IT risks? When we asked respondents to rate how their company is doing in executing key risk management actions ranging from identifying controls and understanding gaps to assessing controls’ effectiveness and keeping track of remediation tasks, around half of all respondents reported that they need to make improvements in these key activities. How organizations rate themselves in their ability to execute key risk management and compliance tasks. *The question we asked was “In your opinion, please rate how well your company is doing in each of the following actions”. Key risk management/compliance tasks *Percentage of organizations that said they need “some” or “significant” improvement in task Identify and assess risks 21% Identify controls 44% Validate controls against standard controls in compliance frameworks 50% Align controls with risks 51% Monitor and automate controls testing 44% Flag exceptions, review and remediate 48% Assess controls’ effectiveness 44% Capture, track, and report deficiencies 42% How organizations feel about their ability to execute key tasks associated with effective vendor risk management. *The question we asked was “In your opinion, please rate how well your company is doing in each of the following actions”. *Potential challenges with managing vendor risk Percent of orgs that said issue is a top challenge for them Incomplete, inaccurate risk information; inability to understand the true risk profile of vendors 21% Collecting risk information on third parties is manual and time consuming 44% Managing remediation projects is time consuming 50% Ongoing monitoring of third parties: we don’t have sufficient high-quality data to monitor effectively 51% Not knowing who within the business owns and operates the third-party software 44% Not knowing what sensitive information reside within third-party systems 48% Additionally, a full half of respondents spend 50% or more of their work time on low-level administrative tasks. These results are disparaging given that the majority of respondents have already made sizable investments in governance, risk, and compliance technology in attempts to keep up with the many operational tasks involved in maintaining security and compliance. Together, these findings suggest that organizations haven’t gained sufficient benefits from their GRC tools. See Additional Findings Regulatory Change Is Top of Mind For Tech Companies We asked respondents to tell us the top factors driving their IT risk/compliance spending increases. They had to stack rank the following factors in order of importance: 1) Changes to regulations (regulatory volatility); 2) Increase in number of applicable regulations; 3) Greater regulatory scrutiny/enforcement; 4) Growth in cloud footprint; 5) Business expansion/customers’ need for assurance; 6) Growth in number of third-parties that touch corporate/customer data; and 7) Deeper understanding of our risks. In the survey, we found that concerns about regulatory change were the dominant driver for increasing compliance budgets. In fact, just under half of all respondents (47%) selected “changes to regulations” as their #1 or #2 top factors. Concerns about “the increase in the number of applicable regulations” were also high among this crowd: 37% of all respondents selected this answer as their #1 or #2 top factors. Other factors—growth in cloud footprint, business expansion, and growth in the number of third parties—didn't factor as prominently into organizations’ 2021 compliance budgets. Throughout 2020, we’ve tracked developments on the data privacy regulation front in the U.S. In the past couple of years, members of Congress have put forth a number of national privacy bills, and there are signs showing that the next term of Congress may pass a national privacy and security law that mirrors the EU’s General Data Protection Regulation or the California Consumer Privacy Act. In this survey, we asked respondents “Are you factoring the potential passage of a federal data privacy and security law into your 2021 IT risk management budget?” We found that 86% of all U.S. respondents are factoring this development into next year’s budget. 69% of U.K. respondents also factored this into their budget. Get Full Report You stated you expect to increase the amount you're spending. What are the top factors driving your IT risk/compliance spend increase? Rank in the order of importance (1=most important to 7=least important) % of respondents who selected this as their #1 or #2 factor 0 10% 20% 30% 40% 50% 60% UK US Deeper understanding of our risks Growth in number of third-parties that touch corporate/customer data Business expansion/customer's need for assurance Growth in cloud footprint Greater regulatory scrutiny/enforcement Increase in number of applicable/required regulations Changes to regulations (regulatory volatility) Among the 1,029 respondents we surveyed, 632 individuals (61% of total) have experienced at least one compliance violation/lapse in the last three years, such as a violation of a privacy law or a data breach. Organizations have incurred losses between less than $100,000 all the way to more than $20 million USD for a single incident. The average amount lost is $5,957,210 USD. Has your organization experienced a compliance violation/lapse in the last 3 years, such as a privacy violation or data breach? How much did your organization incur as a result of this incident? lost more than $10M lost between $5M and $20M lost between $1M and $5M lost between $100,000 and $1M lost less than $100,000 10% 11% 25% 33% 20% Tech Companies Experience Security Incidents and Compliance Violations Often 61% of all respondents have experienced at least one security incident or compliance lapse in the last three years. 35% of all respondents—the biggest group—said that their organization manages IT risk in an ad-hoc fashion, only when a negative event happens. When it comes to the execution of security assurance/compliance tasks, half of the respondents said they spend 50% or more of their work time on low-level administrative tasks. 70% of all respondents reported that their organizations have dedicated tools for managing IT compliance efforts. 83% of all respondents plan to evaluate/purchase new tools to streamline and automate their risk management and compliance processes in 2021. 54% of respondents anticipate spending more money in 2021 on IT risk management and compliance. 54% 86% 61% 35% >50% 70% 83% The most typical increase in spending year-over-year is between 25% and 50% 25% to 50% is the #1 factor respondents cited when asked why they plan to increase their IT compliance budget in 2021. Anticipated regulatory change 86% of U.S. respondents are preparing for the potential passage of a federal data privacy and security law in the U.S. in the next few years and have factored this into their 2021 IT compliance budget. Get Additional Benchmarks

When we asked respondents to rate how their company is doing in executing key risk management actions ranging from identifying controls and understanding gaps to assessing controls’ effectiveness and keeping track of remediation tasks, around half of all respondents reported that they need to make improvements in these key activities.

How organizations rate themselves in their ability to execute key risk management and compliance tasks.

*The question we asked was “In your opinion, please rate how well your company is doing in each of the following actions”.

How organizations rate themselves in their ability to execute key risk management and compliance tasks.

Additionally, a full half of respondents spend 50% or more of their work time on low-level administrative tasks.

These results are disparaging given that the majority of respondents have already made sizable investments in governance, risk, and compliance technology in attempts to keep up with the many operational tasks involved in maintaining security and compliance. Together, these findings suggest that organizations haven’t gained sufficient benefits from their GRC tools.

Tech Companies Experience Security Incidents and Compliance Violations Often

Among the 1,029 respondents we surveyed, 632 individuals (61% of total) have experienced at least one compliance violation/lapse in the last three years, such as a violation of a privacy law or a data breach. Organizations have incurred losses between less than $100,000 all the way to more than $20 million USD for a single incident. The average amount lost is $5,957,210 USD.

Has your organization experienced a compliance violation/lapse in the last 3 years, such as a privacy violation or data breach?
How much did your organization incur as a result of this incident?

But Some Organizations Are Much Better at Avoiding Compliance Violations Than the Rest

We found that organizations that take an integrated view to IT risk management (and make effort to align their risk and compliance activities) do a much job at avoiding compliance lapses (e.g., privacy violation, data breach) than 1) those who believe the compliance function’s purpose is to enforce rules and 2) those who believe that compliance programs help with risk mitigation but conduct risk and compliance activities in silos.

While 61% of survey respondents overall reported their organization has experienced a compliance violation in the last three years, only 40% of those who take an integrated view of risk management and compliance activities experienced a compliance violation. On the other hand, 71% of all respondents who view the compliance function as the enforcer of rules have experienced a compliance violation in the past 3 years. Of those who believe that compliance programs help mitigate risk but still manage activities in silos, 58% reported a compliance violation. The differences we found are statistically significant.

Organization compliances lapses 2021

2021 IT Compliance Benchmark

2021 IT Compliance Benchmark Report

Download the Report

Survey Methodology

The 2021 IT Risk Management and Compliance Survey gathered 1,029 responses during December 2019.
All organizations come from the Technology industry.

Organization Size

We defined organizational sizes for comparison as follows: Small (50 to less than 250 employees), Midsize (250 to less than 1,000 employees), Large (1,000 to less than 2,500 employees), and Small-Enterprise (2,500 to less than 5,000) and Large-Enterprise (5,000+). We deliberately excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about IT risk management as respondents from larger organizations, simply because organizations generally wait to invest in IT risk management until they’ve become viable businesses.

We have 42 respondents from Small organizations, 471 respondents from Midsize organizations, 215 employees from Large organizations, 225 employees from Small-Enterprise organizations, and 76 from Large-Enterprise organizations.

Location

Respondents came both from organizations that have U.S.-based headquarters and U.K.-based headquarters. 714 respondents come from companies with headquarters in the U,S. and 315 respondents come from companies with headquarters in the U.K.. Organizations with single and multiple locations were included.

Tenure of businesses
  • 225 respondents work for companies that have been around for 5 years or less (22% of total).
  • 392 respondents work for companies that have been around between 5 to less than ten years (38% of total).
  • 247 respondents work for firms that are between 10 and 15 years old (24% of total).
  • 164 respondents work for firms that have been around for 15 years or longer (16% of total).
Revenue
  • 343 respondents work for companies that generated $10 million or less in 2020 annual revenue (33% of total).
  • 187 respondents work for companies that generated between $10 million and $50 million in 2020 annual revenue (18% of total).
  • 87 respondents work for companies that generated between $50 million and $100 million in 2020 annual revenue (8% of total).
  • 124 respondents work for companies that generated between $100 million and $500 million in 2020 annual revenue (12% of total).
  • 288 respondents work for companies that generated $500 million or more in 2020 annual revenue (28% of total).
Department

Respondents could select up to two departments. 905 respondents (88% of total) are in Information Technology. 124 respondents (12% of total) are in the C-suite. 96 respondents (9% of total) are in the Security/Compliance Department. Other departments – including Legal, Operations, Finance, and Engineering – were selected by a few respondents.

Job function

We asked respondents to tell us their primary job function (they could select up to 3 job functions). 846 respondents (82% of total) view Information Technology as their primary Job Function.

  • 347 respondents (34% of total) view Information Security as their primary job function.
  • 314 respondents (31% of total) view IT audit/IT compliance as their primary job function.
  • 217 respondents (21% of total) view Management as their primary job function.
  • 145 respondents (14% of total) view Security Assurance/Compliance as their primary job function.
  • 102 respondents (10% of total) view Risk Management as their primary job function.

We have a few additional respondents in functions such as Ethics, Policy and Compliance, and Human Resource Operations.

Decision-making regarding data security and data privacy compliance

Eight-four percent of all respondents said they are directly involved in decisions regarding cybersecurity and data privacy risks for their organizations. Fourteen percent said they’re knowledgeable enough to understand the requirements and needs regarding cybersecurity and data privacy for their organization. Just 4% said they do not make decisions but are involved in maintaining IT security and data privacy for their company.

Roles in security, privacy, and compliance

Seventy-four percent of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Seventeen percent said they are one of the decision-makers within their organization, 7% said they are part of a team or committee, and 1% said they gather information and provide research regarding data security and data privacy compliance.