HypeRproof Presents
the 5th annual
2024 IT Risk and Compliance Benchmark Report
CHARTING THE GOVERNANCE, RISK, AND COMPLIANCE UNIVERSE
Hyperproof’s fifth annual IT compliance report and benchmark survey is here! Each year, we ask over 1,000 IT and GRC professionals about their priorities for the coming year and operational aspects, like budget changes, staffing, challenges, and much more.
The survey also dives deep into the market’s current state and outlines trends and best practices based on how top teams respond to the ever-changing risk and compliance operations landscape. After diving into the data, one thing became clear. As companies push for greater efficiency and transparency, security and risk teams are asked to consolidate their tech stacks and processes.
The question is: which team’s priorities will take precedence?
Check out a few of our key findings below, and then download the full IT compliance report to access all of our insights.
Top Findings In Numbers
Chapter 1
Navigating Tomorrow, Unifying Today:
Integrating Risk and Compliance
Data silos between risk management and compliance operations are reducing, but those still operating in silos are more likely to experience a breach.
Respondents are moving toward unifying risk and compliance management operations. This trend shows a push toward a more unified approach to GRC, where collaboration and having a complete, transparent view of an organization’s risk is the priority. It also emphasizes that GRC solutions need to raise the bar on their product offerings to satisfy the needs of teams across the organization beyond typical GRC stakeholders.
Key Insights
Managing Risk
Describe your organization’s approach to managing risk:
Breaches Experienced
Has your organization experienced a breach in the last 24 months?
Why This Matters
Those who manage risk and compliance in silos are more likely to experience breaches.
Only 18% of respondents have successfully tied together risk and compliance activities, revealing a persistent challenge reminiscent of last year’s report: the confidence to address risk did not align with the efficacy of risk management processes.
Chapter 2
The Artificial Intelligence Paradox:
AI’s Dual Role in GRC
AI technologies are both enabling more sophisticated cyber attacks and helping defend against them.
It’s no surprise that AI in cybersecurity presents a complex duality: AI simultaneously introduces new business risks while streamlining workflows for GRC professionals and helping them stay abreast of innovative new cyberattacks. The data underscores this nuanced reality. Details below:
Key Insights
Leveraging AI
Are you using AI to streamline any of the following workflows?
Respondents who answered yes use AI in the following ways:
Concern with AI
Coming into 2024, how concerned are you about the business risks associated with generative AI?
Why This Matters
Walking the tightrope of using AI in cybersecurity is a difficult task that requires nuance.
This high level of concern indicates the industry’s acknowledgment of the complexities and potential risks of AI adoption. Organizations need to stay ahead of the latest advancements in AI to make informed decisions and leverage its transformative capabilities while keeping AI misuse top-of-mind. It all comes down to adopting AI technologies responsibly and judiciously, which requires continuous awareness, education, and a commitment to ongoing research.
Ready to learn more?
Download the full IT compliance report.
Chapter 3
New Frontiers:
Mapping the Risk Landscape
Data breaches — and their business impacts — are on the rise.
Data breaches rose by 40% year-over-year, and as a result, respondents are dedicating more time to managing risks, which increases tedious manual work. Respondents are taking steps to reduce the stress and work it takes to mitigate risks, but they are being asked to do more with less. To keep up, organizations must proactively invest in cybersecurity measures, fine-tune risk management strategies, and maintain unwavering vigilance against the evolving landscape of cyber threats. Collaborating between cybersecurity and GRC professionals is also more crucial than ever, forming the cornerstone for building a resilient and secure business environment.
Key Insights
Breaches Experienced
Has your organization experienced a breach in the last 24 months?
Meeting Objectives
Does your ability to identify and assess risks meet your company’s objectives?
By approach to risk management
Why This Matters
The vast majority of surveyed organizations have committed to managing their IT risks in a formal, disciplined approach.
This emphasis on eliminating tedious, manual processes aligns with the conclusions of our past and present reports, demonstrating the shift in the market to adopt such technologies to ensure a more streamlined risk and compliance experience for their teams.
Chapter 4
Understanding Third-Party Risks in Orbit
Investment in third–party risk is continuing to grow.
As businesses continue to grow, their third-party footprint does as well. The manual work only multiplies, making it more difficult for GRC and IT professionals to identify and mitigate third-party risks. Our survey data revealed that larger companies are more impacted by third-party risks. Respondents with revenue of over $100M were more likely to experience a third-party data or privacy breach than those with revenue under $100M. Additionally, most respondents still use tools like ticketing and task management systems to manage third-party risk, but the industry is slowly shifting toward integrated solutions.
Key Insights
Third-Party Events
Has your organization been impacted by any of the following events in the past year?
Audit Findings
Have you experienced (or are you expecting) an audit finding related to third-party risk management you cannot promptly resolve?
Why This Matters
Understanding first-party and third-party risks is a complex task that cannot be conducted manually at scale.
The significance of efficient compliance operations is now considered a brand differentiator, heightening the importance of GRC and the ability to guarantee adherence to regulatory standards, especially for large enterprises. Due to budget consolidations and increased calls for efficiency, respondents are less happy using point solutions: they want a platform that includes vendor risk management but also connects to all of their other GRC work.
Ready to learn more?
Download the full report.
Chapter 5
The Time and Budget Chronicles
Optimism for sufficient resourcing is disconnected from economic drivers.
Last year, respondents expected increases in headcount, budgets, and cross-functional resources. However, macroeconomic pressure and a focus on efficiency changed the budgeting landscape across departments, and resources declined as the year progressed. Surprisingly, most respondents expect to spend more money on IT risk management in 2024, but this may not be true. Budgets might decrease due to various factors, including shifting organizational priorities and consolidating risk and compliance management. This is causing IT and risk teams — especially those at larger organizations — to look for insights from their tech stack that showcase how their work relates to unlocking higher-level company objectives.
Key Insights
2024 Spending
Do you anticipate your organization will spend more, less, or about the same amount of money on IT risk management and compliance in 2024 vs. 2023?
2024 Time Investment
Do you anticipate your organization will spend more, less, or about the same amount of time on IT risk management and compliance in 2024 vs. 2023?
Spend Allocation
Average anticipated spend allocation:
Why This Matters
Several highly publicized breaches in 2023 have made business operations more challenging for both B2B and B2C companies.
Proactive businesses are not only maintaining their existing cybersecurity attestations (like SOC 2 and ISO 27001) but expanding the number of external validations to demonstrate their trustworthiness. This trajectory reflects how much time and focus companies dedicate to strategic risk and compliance management, especially as regulatory scrutiny increases yearly. Most organizations are allocating funds toward risk management in 2024, further emphasizing the growing importance of managing risks and the need for transparency across organizations to communicate risk to stakeholders.
Chapter 6
Decision Makers in the GRC Nebula
Decision-making is becoming more collaborative among companies with integrated risk and compliance practices.
Overall, this year’s survey results showed that the trend of distributed decision-making regarding buying technology persists. The survey data revealed that whether or not companies have integrated their risk and compliance efforts impact their strategies.
Those in the cohort who manage risk ad-hoc or when a negative event happens and who manage risk in siloed departments or tools are more likely to be the sole decision-makers for cybersecurity and risk management decisions. Those who have integrated tools are more collaborative with their decision-making.
Key Insights
Buying GRC Technology
Who are the financial decision-makers involved when buying compliance or risk technology?
Decision Makers
What best describes your involvement in decisions regarding cybersecurity and risk management decisions for your organization?
Why This Matters
More stakeholders are getting involved with the technology buying processes.
As the number of stakeholders involved in buying new tech solutions increases, it is increasingly important that IT and GRC professionals understand how to convey their needs in alignment with strategic company objectives. If that alignment is not clear, new tech purchases often become easy cost-cutting targets at the executive level.
