2023 IT Compliance Benchmark Report
Industry Game-Changers and the Outlook on 2023
A comprehensive look at how companies are responding to the ever-evolving compliance landscape.
What’s in the Report
We surveyed 1,010 security, compliance, and risk management professionals throughout the US and UK to understand their pain points, IT risk and compliance budgets, staffing, risk management best practices, and much more. Our 2023 benchmark report provides an in-depth view of the market’s current state and what to prepare for this year. One trend we saw throughout the data was clear: compliance operations professionals are ready to level up their risk responses to avoid becoming a breaking news story about another security breach.
of respondents say their company has a board member with cybersecurity expertise
of respondents said that their companies have made changes to how legal teams work with CISOs in the wake of the Uber verdict
of respondents say they struggle with identifying where the critical risks are in order to figure out what remediations to prioritize
of respondents said they use spreadsheets to manage their IT compliance vs. 43% in 2022
of respondents believe that having a solid compliance program helps mitigate risks
of respondents said their organization has an integrated view on how they manage their risks and have aligned their risk and compliance activities
of all respondents anticipate spending more time on IT risk management and compliance in 2023 vs. 2022
of respondents said that their compliance team will grow in size over the next two years
Operationalizing Compliance and Risk
Continues to Be a Challenge
Manual processes continue to be a problem for InfoSec professionals. 51% struggle to identify where critical risks are (e.g. know what systems/cyber assets have sensitive data/are exposed due to misconfiguration). 39% struggle to find risk-related information when they need it (e.g., multiple spreadsheets containing risk assessment results). 38% struggle with switching between multiple systems throughout the risk management process (e.g. separate places for risk assessment vs. tracking remediations).
Companies have leveled up operational compliance but are still struggling to connect the dots with risk. Although the GRC vendor and the analyst communities have touted the benefits of integrating risk management and compliance — from time-savings and useful integrations to workflow automation — 90% of surveyed organizations are still managing risks and their compliance program in silos.
Only 10% of respondents said their organization has an integrated view on how they manage their risks and have aligned their risk and compliance activities. Meanwhile, 57% of respondents believe that having a solid compliance program helps them mitigate risks, but risk management and compliance activities are typically conducted in response to separate events.
Expansion Packs for Budget
Surprisingly, Spend on IT Compliance and Risk Continues to Increase
Even with a recession looming, security and compliance is one area where spend continues to remain high. Regulator response has been rapidly increasing, and new regulations are forcing companies to quickly adapt and expand their teams to meet new regulatory demands. For the fourth year, the majority of survey respondents reported that they plan to spend more money on compliance in the next 12 months.
63% of respondents said they will spend more on IT risk management and compliance in 2023, compared to 45% in 2022. This further investment of resources (financial and otherwise) indicates that organizations are expanding their IT risk management and compliance programs. Of the respondents who said that they expect to increase their spend on IT risk and compliance, 40% reported they plan to spend 10-25% more in 2023, followed by 29% reporting that they planned on a 25-50% increase.
New Players Have
Entered the Game
The Relationship Between the C-Suite and Compliance Operations is Changing
We’re living in an environment where regulatory enforcement and scrutiny around companies’ security programs and other types of compliance programs has increased. This year, companies are responding to this scrutiny, resulting in organizational changes and board members with an eagle eye on all things compliance. 33% of respondents said that in the wake of the Joe Sullivan/Uber case verdict, their company has made changes to how the legal team works with their CISO to protect the company.
Additionally, 85% of respondents say their company has a board member with cybersecurity expertise. It comes as no surprise that executive teams are paying more attention than ever to how their company is staying secure. As the board takes a magnifying glass to cybersecurity and legal teams get more involved with CISOs, compliance operations, and risk management, security and compliance professionals will need to brace themselves for a barrage of requests for detailed reporting, more internal assessments, and more frequent communication with the board around cybersecurity risk.
Download the 2023 IT Compliance and Risk Benchmark Report
The 2023 IT Compliance and Risk Benchmark Survey gathered 1,010 responses during December 2022 and January 2023. All organizations come from the following industries:
Average Organizational Size of Respondents
Decision Making Capabilities
83% of all respondents said they are directly involved in decisions regarding cybersecurity and data privacy risks for their organizations. 16% percent said they're knowledgeable enough to understand the requirements and needs regarding cybersecurity and data privacy for their organization. 1% said they do not make decisions but are involved in maintaining IT security and data privacy for their company.
81% of respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. 16% said they are one of the decision-makers within their organization; 2% said they are part of a team or committee, and 1% said they gather information and provide research regarding data security and data privacy compliance.