What’s Covered in the Report
In November and December 2021, we surveyed 1,014 professionals in the Technology industry who hold responsibilities for security assurance, IT compliance, information security, IT audits, and IT risk management within their organizations. 700 respondents work for companies headquartered in the U.S, and 314 respondents work for companies headquartered in the U.K. Respondents come from organizations as small as 50 employees and as large as more than 10,000 employees. All respondents are directly involved in making decisions regarding security assurance, IT compliance, information security, IT audits, and IT risk management within their organizations.
Here are the top results from this year’s survey.
of respondents said they are planning to expand their third-party risk management program in 2022.
of respondents said they were negatively affected by a third-party incident in the past year.
of respondents experienced a data breach that led to the disclosure of regulated data in the last 24 months.
of respondents said they plan to spend more on IT risk management and compliance in 2022 vs. 2021.
of respondents said they plan to grow their compliance teams in 2022 to manage an increasing workload.
of respondents said they test all controls implemented to meet security requirements to ensure compliance.
of respondents use the risk module in a cloud-based GRC software to document and track their risks.
of respondents plan to evaluate new tools in 2022 to streamline and automate their compliance processes.
For the third year in a row, the majority of survey respondents reported that they plan to spend more money on compliance in the next 12 months. Forty-five percent of surveyed organizations – the biggest group – said they intend to spend more money on IT risk management and compliance in 2022 vs. 2021. Over 70% of surveyed organizations have also made commitments to manage their IT risks in a formal, disciplined approach. The further investment of resources (financial and otherwise) indicates that organizations are dedicated to shoring up their IT risk management and compliance programs.
Of the respondents who said that they expect to increase their spend on IT risk and compliance, 45% reported that they plan to spend 10-25% more in 2022.
Organizations who expect to increase spending on IT risk management and compliance in 2022 reported the following as the top factors that will drive higher spend:
Cybersecurity attacks are not only at an all time high, but attackers’ tactics are getting more and more creative. With this in mind, it’s no surprise that the top response of organizations when asked “Which of the following causes your job to be more stressful?” was cybersecurity risks.
Many organizations suffered from data breaches in 2021. In fact, 63% of respondents reported that they experienced a data breach that led to the disclosure of regulated data — such as protected health information or other sensitive data — in the last 24 months. These data breaches proved costly for most organizations — 44% of companies who reported a data breach said they lost between $1M and 5M.
Data privacy risks were a primary stressor for our respondents as well. This also isn’t shocking considering that most surveyed organizations need to comply with multiple, disparate data privacy regulations – some of which apply broadly to businesses (including organization’s suppliers and vendors) and to many kinds of data.
Sharp Focus on Controls and Effective Compliance Operations
Many organizations have realized that controls are the key to cybersecurity management success. These organizations have identified appropriate controls by using industry frameworks as a reference and by understanding their risks.
In fact, we saw that the use of a common controls framework (CCF) has become a mainstream practice. When asked “How does your organization deal with regional variances in data security and privacy regulations?”, 57% of all respondents said they utilize a CCF that aggregates and rationalizes compliance requirements from different laws and regulations to organize their security and privacy risk management practices.
Risk and Compliance Management Tools Proliferate but Efficiency Gains Haven’t Been Realized
The use of dedicated GRC tools to manage IT risks and compliance programs has increased year over year. For instance, 57% of respondents this year said they use the risk module in a cloud-based GRC software to document and track their risks (compared to 41% last year). However, time spent on routine, repetitive, administrative tasks has not decreased correspondingly. The typical respondent said their compliance function still spends about 40% of their time at work on tasks that are administrative in nature, tasks that aren’t a good use of a skilled professional’s time.
Why is this the case? We see two likely scenarios:
GRC tools may not be integrated with the other apps their employees are already using. In fact, while many organizations have some type of GRC software, they still manage portions of their compliance program in numerous other places.
The value of tools has been undermined by a lack of internal processes. Fifty-eight percent of all respondents admitted that their organization manages IT risk in a way that lacks sufficient planning and coordination between the various parties that need to be involved. Even the most powerful IT risk management tools can under-deliver when key processes haven’t been established.
Data Breaches Continue to
63% of respondents reported that they experienced a data breach that led to the disclosure of regulated data — such as protected health information or other sensitive data — in the last 24 months. These data breaches typically cost an organization losses in the 7 figure range.
Many organizations have become keenly aware that they need to get better at managing IT risks arising from the use of third-parties. More than half of all respondents plan to expand the scope of their third-party management program in 2022. Greater awareness of third-party risk is also an often cited reason for increasing an organization’s overall IT risk and compliance management budget in 2022.
Three-quarters of all surveyed organizations said they have a process in place today to identify, treat, and monitor third-party risks. But their processes aren’t working well — 90% of all survey respondents reported being negatively affected by a third-party incident in the past year.
The 2022 IT Risk Management and Compliance Survey gathered 1,014 responses during November and December 2021. All organizations come from the Technology industry.
We defined organizational sizes for comparison as follows:
- Small (50 to less than 250 employees),
- Midsize (250 to less than 1,000 employees),
- Large (1,000 to less than 2,500 employees),
- Small-Enterprise (2,500 to less than 5,000) and,
- Large-Enterprise (5,000+).
We deliberately excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about IT risk management as respondents from larger organizations, simply because organizations generally wait to invest in IT risk management until they’ve become viable businesses.
19% of all respondents are from Small organizations, 34% of respondents are from Midsize organizations, 18% are from Large organizations, 13% of respondents are from Small-Enterprise organizations, and 16% of respondents are from Large-Enterprise organizations. The mean (or average organization) in the survey has 1,968 employees.
Respondents came from organizations that have U.S.-based headquarters and U.K.-based headquarters. 700 respondents come from companies with headquarters in the US. 314 respondents come from companies with headquarters in the U.K.. Organizations with single and multiple locations were included.
Tenure of businesses
225 respondents work for companies that have been around for 5 years or less (22% of total).
392 respondents work for companies that have been around between 5 to less than ten years (38% of total).
247 respondents work for firms that are between 10 and 15 years old (24% of total).
164 respondents work for firms that have been around for 15 years or longer (16% of total).
21% of respondents work for companies that generated $10 million or less in 2021 annual revenue.
26% of respondents work for companies that generated between $10 million and $50 million in 2021 annual revenue.
14% of respondents work for companies that generated between $50 million and $100 million in 2021 annual revenue.
15% of respondents work for companies that generated between $100 million and $500 million in 2021 annual revenue.
25% of respondents work for companies that generated $500 million or more in 2021 annual revenue.
14% of respondents are in the C-suite.
64% of respondents are in Information Technology (IT).
15% of respondents are in SecurityCompliance.
5% of respondents are in Operations.
1% of respondents are in Engineering.
Other departments including Legal and Finance were not selected by the respondents.
We asked respondents to tell us their primary job function (they could select up to 3 job functions).
62% of all respondents selected Information Technology as their primary Job Function.
51% of all respondents selected IT audit/IT compliance as their primary job function.
48% of all respondents selected Information Security as their primary job function.
24% of all respondents selected Risk Management as their primary job function.
23% of all respondents selected Security Assurance/Compliance as their primary job function.
15% of all respondents selected Management as their primary job function.
7% of all respondents selected Human Resource Operations and/or Management as their primary job function
We have a few additional respondents in functions such as Ethics, Policy and Compliance, and Governmental affairs.
The vast majority of respondents are Manager level or above.
Decision-making regarding data security and data privacy compliance
Eight-six percent of all respondents said they are directly involved in decisions regarding cybersecurity and data privacy risks for their organizations. Twelve percent said they're knowledgeable enough to understand the requirements and needs regarding cybersecurity and data privacy for their organization. Just 2% said they do not make decisions but are involved in maintaining IT security and data privacy for their company.
Roles in security, privacy, and compliance
Eighty percent of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Fifteen percent said they are one of the decision-makers within their organization; 4% said they are part of a team or committee, and 1% said they gather information and provide research regarding data security and data privacy compliance.