2021 IT Compliance
What’s Covered in the Report
In December 2020, Hyperproof surveyed 1,029 cybersecurity, security assurance/compliance, and IT decision-makers within the technology industry. The survey report examines IT security and compliance decision-makers’ attitudes towards the current cyber risk landscape and companies’ budget, staffing, and technology purchase plans for 2021 to manage IT risks and fulfill compliance obligations. It highlights organizations’ day-to-day practices in the realms of compliance operations, vendor risk management, and IT risk management.
Given that the technology industry is not a monolithic group, we examined the results by segments --company size, company revenue, location, and several others -- and called out areas where there are significant differences between segments. Additionally, we analyzed what leading organizations -- those who are better at achieving organizational objectives and avoiding security lapses and compliance violations than the average organization -- do differently than the rest of the pack.
Top Findings In Numbers
54% of respondents anticipate spending more money in 2021 on IT risk management and compliance.
The most typical increase in spending year-over-year is between 25% and 50%.
Anticipated regulatory change
is the #1 factor respondents cited when asked why they plan to increase their IT compliance budget in 2021.
86% of U.S. respondents are preparing for the potential passage of a federal data privacy and security law in the U.S. in the next few years and have factored this into their 2021 IT compliance budget.
61% of all respondents have experienced at least one security incident or compliance lapse in the last three years.
35% of all respondents - the biggest group - said that their organization manages IT risk in an ad-hoc fashion, only when a negative event happens.
When it comes to the execution of security assurance/compliance tasks, half of the respondents said they spend 50% or more of their work time on low-level administrative tasks.
70% of all respondents reported that their organizations have dedicated tools for managing IT compliance efforts.
83% of all respondents plan to evaluate/purchase new tools to streamline and automate their risk management and compliance processes in 2021.
Budgets for IT Risk and Compliance Management
Will Grow For the Majority of Tech Companies in 2021
COVID-19 shook the global economy, and its negative impacts on businesses have been significant. There’s been much speculation on whether risk management and compliance programs are at risk of budget cuts as CFOs try to find ways to preserve cash and runway.
In this survey, we found that tech companies’ IT security and compliance budget is generally immune to the economic impacts of COVID-19. Tech companies tend to view their IT risk and compliance functions as strategic functions that deserve an appropriate level of support and resources. Over half (54%) of all survey respondents said they anticipate increasing their spending on IT risk management and compliance in 2021 , and 18% of all respondents plan to increase spending significantly.
Meanwhile, 30% plan to keep 2021 spending at the same level as last year, and just 5% of respondents reported they plan to make a significant cut on IT risk and compliance management spend.
Additionally, almost all survey respondents (99%) plan to increase their compliance budget in 2021—and 60% of respondents plan to increase their budget by at least 25% year over year. In fact, nearly one out of five respondents (18%) plan to increase their compliance budget somewhere between 50% and 100% year over year.
Regulatory Change Is Top of Mind For Tech Companies
We asked respondents to tell us the top factors driving their IT risk/compliance spending increases. They had to stack rank the following factors in order of importance: 1) Changes to regulations (regulatory volatility); 2) Increase in number of applicable regulations; 3) Greater regulatory scrutiny/enforcement; 4) Growth in cloud footprint; 5) Business expansion/customers’ need for assurance; 6) Growth in number of third-parties that touch corporate/customer data; and 7) Deeper understanding of our risks.
In the survey, we found that concerns about regulatory change were the dominant driver for increasing compliance budgets. In fact, just under half of all respondents (47%) selected “changes to regulations” as their #1 or #2 top factors. Concerns about “the increase in the number of applicable regulations” were also high among this crowd: 37% of all respondents selected this answer as their #1 or #2 top factors.
Other factors—growth in cloud footprint, business expansion, and growth in the number of third parties—didn't factor as prominently into organizations’ 2021 compliance budgets.
Throughout 2020, we’ve tracked developments on the data privacy regulation front in the U.S. In the past couple of years, members of Congress have put forth a number of national privacy bills, and there are signs showing that the next term of Congress may pass a national privacy and security law that mirrors the EU’s General Data Protection Regulation or the California Consumer Privacy Act. In this survey, we asked respondents “Are you factoring the potential passage of a federal data privacy and security law into your 2021 IT risk management budget?” We found that 86% of all U.S. respondents are factoring this development into next year’s budget. 69% of U.K. respondents also factored this into their budget.
Want a quick overview of key findings?
Download the summary for the 2021 IT Compliance Benchmark report
Most Companies Want to Take a More a Disciplined Approach to IT Risk Management and Compliance Operations
In addition to budget increases, we saw several other signs that the surveyed organizations are taking the management of IT risks and compliance quite seriously. For instance, over 92% of respondents reported using a risk management standard/framework, such as ones developed by NIST and ISO; over 78% of respondents said their organizations have identified clear roles, responsibilities, and owners for various risks, and 71% say their organization conducts risk assessments on a regular cadence.
Meanwhile, 70% of all surveyed respondents reported that their organizations have already purchased dedicated tools for managing IT compliance efforts; over half have dedicated tools to keep track of their risks and 58% also have software specifically for vendor risk management.
The Operations Gap: Most Organizations Struggle to Execute Numerous Critical IT Compliance Tasks
Although most surveyed organizations understand what “good” looks like in theory in terms of IT risk management and security assurance, most also struggle to operationalize important risk management activities day-to-day.
When we asked respondents to select the statement that best reflects how their organization manages IT risks day to day, the biggest group—35% of all respondents—reported that they manage IT risk in an ad hoc way, only when a negative event happens. Another 28% reported that IT risks are managed in siloed departments, processes, and tools.
When we asked respondents to rate how their company is doing in executing key risk management actions ranging from identifying controls and understanding gaps to assessing controls’ effectiveness and keeping track of remediation tasks, around half of all respondents reported that they need to make improvements in these key activities.
How organizations rate themselves in their ability to execute key risk management and compliance tasks.
*The question we asked was “In your opinion, please rate how well your company is doing in each of the following actions”.
Additionally, a full half of respondents spend 50% or more of their work time on low-level administrative tasks.
These results are disparaging given that the majority of respondents have already made sizable investments in governance, risk, and compliance technology in attempts to keep up with the many operational tasks involved in maintaining security and compliance. Together, these findings suggest that organizations haven’t gained sufficient benefits from their GRC tools.
Tech Companies Experience Security Incidents
and Compliance Violations Often
Among the 1,029 respondents we surveyed, 632 individuals (61% of total) have experienced at least one compliance violation/lapse in the last three years, such as a violation of a privacy law or a data breach. Organizations have incurred losses between less than $100,000 all the way to more than $20 million USD for a single incident. The average amount lost is $5,957,210 USD.
But Some Organizations Are Much Better at Avoiding
Compliance Violations Than the Rest
We found that organizations that take an integrated view to IT risk management (and make effort to align their risk and compliance activities) do a much job at avoiding compliance lapses (e.g., privacy violation, data breach) than 1) those who believe the compliance function’s purpose is to enforce rules and 2) those who believe that compliance programs help with risk mitigation but conduct risk and compliance activities in silos.
While 61% of survey respondents overall reported their organization has experienced a compliance violation in the last three years, only 40% of those who take an integrated view of risk management and compliance activities experienced a compliance violation. On the other hand, 71% of all respondents who view the compliance function as the enforcer of rules have experienced a compliance violation in the past 3 years. Of those who believe that compliance programs help mitigate risk but still manage activities in silos, 58% reported a compliance violation. The differences we found are statistically significant.
Download the Full Report
The 2021 IT Risk Management and Compliance Survey gathered 1,029 responses during December 2019.
All organizations come from the Technology industry.
We defined organizational sizes for comparison as follows: Small (50 to less than 250 employees), Midsize (250 to less than 1,000 employees), Large (1,000 to less than 2,500 employees), and Small-Enterprise (2,500 to less than 5,000) and Large-Enterprise (5,000+). We deliberately excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about IT risk management as respondents from larger organizations, simply because organizations generally wait to invest in IT risk management until they’ve become viable businesses.
We have 42 respondents from Small organizations, 471 respondents from Midsize organizations, 215 employees from Large organizations, 225 employees from Small-Enterprise organizations, and 76 from Large-Enterprise organizations.
Respondents came both from organizations that have U.S.-based headquarters and U.K.-based headquarters. 714 respondents come from companies with headquarters in the U,S. and 315 respondents come from companies with headquarters in the U.K.. Organizations with single and multiple locations were included.
Tenure of businesses
225 respondents work for companies that have been around for 5 years or less (22% of total).
392 respondents work for companies that have been around between 5 to less than ten years (38% of total).
247 respondents work for firms that are between 10 and 15 years old (24% of total).
164 respondents work for firms that have been around for 15 years or longer (16% of total).
343 respondents work for companies that generated $10 million or less in 2020 annual revenue (33% of total).
187 respondents work for companies that generated between $10 million and $50 million in 2020 annual revenue (18% of total).
87 respondents work for companies that generated between $50 million and $100 million in 2020 annual revenue (8% of total).
124 respondents work for companies that generated between $100 million and $500 million in 2020 annual revenue (12% of total).
288 respondents work for companies that generated $500 million or more in 2020 annual revenue (28% of total).
Respondents could select up to two departments. 905 respondents (88% of total) are in Information Technology. 124 respondents (12% of total) are in the C-suite. 96 respondents (9% of total) are in the Security/Compliance Department. Other departments - including Legal, Operations, Finance, and Engineering - were selected by a few respondents.
We asked respondents to tell us their primary job function (they could select up to 3 job functions). 846 respondents (82% of total) view Information Technology as their primary Job Function.
347 respondents (34% of total) view Information Security as their primary job function.
314 respondents (31% of total) view IT audit/IT compliance as their primary job function.
217 respondents (21% of total) view Management as their primary job function.
145 respondents (14% of total) view Security Assurance/Compliance as their primary job function.
102 respondents (10% of total) view Risk Management as their primary job function.
We have a few additional respondents in functions such as Ethics, Policy and Compliance, and Human Resource Operations.
Decision-making regarding data security and data privacy compliance
Eight-four percent of all respondents said they are directly involved in decisions regarding cybersecurity and data privacy risks for their organizations. Fourteen percent said they're knowledgeable enough to understand the requirements and needs regarding cybersecurity and data privacy for their organization. Just 4% said they do not make decisions but are involved in maintaining IT security and data privacy for their company.
Roles in security, privacy, and compliance
Seventy-four percent of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Seventeen percent said they are one of the decision-makers within their organization, 7% said they are part of a team or committee, and 1% said they gather information and provide research regarding data security and data privacy compliance.