Summer 2025

2025 IT Risk and Compliance Benchmark Report

Beyond the Benchmark:
How Does Our Report Compare?

A Publication by

Hyperproof Logo
Scroll to Begin

Scroll to Begin

Unlock the Full Report

Unlock the Spring 2025 Full Report

Top Finding 1

91% of respondents have a centralized team to manage GRC

This is the highest number we’ve ever seen in the six years we have conducted this survey, up from 88% in the previous year.

Does your organization have a centralized governance, risk, and compliance program that works across business units and geographies?

Why this matters

The high adoption of centralized GRC teams indicates a strong trend toward integration in the market, as most organizations recognize the importance of taking a unified approach to risk and compliance management. However, those 8% of organizations still operating in silos face significant challenges, including inconsistent risk mitigation practices and inefficiencies.

Top Finding 2

60% of respondents who manage risk ad-hoc or when a negative event happens experienced a data breach in 2024

Respondents who use integrated and automated GRC tools are less likely to experience a data breach at only 41%.

Has your organization experienced a data or privacy breach in the last year?

Why this matters

The tangible benefits of investing in GRC platforms that enable continuous monitoring, streamlined workflows, and real-time insights are undeniable. This finding underscores that relying on reactive, event-driven risk management leaves organizations more vulnerable to breaches, while adopting integrated and automated solutions significantly enhances their ability to identify, mitigate, and prevent risks, ultimately protecting sensitive data and organizational reputation.

Top Finding 3

63% of all respondents said their GRC budgets will increase in 2025

The majority of respondents expect budgets to go up for the second year in a row.

What is the expected or planned increase in your GRC budget in the next 12-24 months?

Why this matters

This finding underscores the growing recognition of GRC as a competitive advantage. As cyber threats become more sophisticated, regulatory requirements more stringent, and supply chains more interconnected, organizations must invest in robust GRC frameworks to mitigate risks, ensure compliance, and build stakeholder trust. Increased budgets signal a commitment to adopting advanced tools — like automated GRC platforms — to streamline workflows, improve efficiency, and enhance decision-making.

Unlock the Spring 2025 Full Report

Top Finding 4

72% of surveyed organizations plan to grow their compliance teams in 2025

The majority of respondents are confident about their ability to expand their teams despite economic uncertainty in 2025. 

In the next two years, will your company’s compliance team headcount grow, stay the same, or decrease?

Why this matters

The overwhelming intent to expand compliance teams highlights a broad industry shift toward strengthening GRC efforts. This trend is likely driven by increasing regulatory complexity, heightened enforcement, and the growing need for organizations to demonstrate accountability and transparency. With compliance viewed as a critical enabler of organizational resilience and trust, the next two years will see many teams expanding to meet these demands head-on.

Top Finding 5

52% of all respondents spend 30%-50% of their time on administrative tasks like manual data entry

Although respondents are confident that they have taken steps to mature their GRC programs, they still spend a significant amount of time on manual processes.

What portion of your risk and compliance management team’s time is spent on repetitive/administrative tasks?

Why this matters

Despite efforts by GRC teams to streamline workflows, adopt new processes, and better integrate their work, our respondents stated that their work is still burdensome and certain tasks are still too laborious. To address these burdens, many organizations are turning to purpose-built tools and software solutions designed to alleviate the manual, fragmented, and complex aspects of GRC work. These tools reduce the reliance on repetitive data entry, streamline processes across multiple systems, and provide greater clarity in risk identification and management.

Unlock the Spring 2025 Full Report

Top Finding 6

59% of respondents test all controls as opposed to only the most critical controls

This is an increase of 26% year-over-year, signifying a major industry shift to proactive compliance management strategies.

How often does your organization conduct security risk assessments?

Why this matters

This year, 59% of respondents reported that they test all controls as opposed to only the most critical controls. This is a major shift in the industry, emphasizing the importance of moving beyond reactive, audit-driven assessments to a more strategic and holistic control testing process. Testing all controls ensures that even lower-priority areas are scrutinized, reducing the likelihood of overlooked vulnerabilities that could lead to compliance failures or security breaches.

Top Finding 7

74% of respondents in 2024 said their annual security budget is over $1 million

Most of the surveyed organizations are making a substantial investment in security. Only 22% of respondents reported that their annual security budget is under $1 million.

What is your Security budget for 2025?

Why this matters

Respondents are taking a proactive approach to GRC, a significant shift in the industry since last year’s survey report. Businesses are no longer viewing GRC as a cost center but as a critical investment, and their budgets are beginning to reflect this change in mindset. With significant budgets allocated to GRC, organizations are better positioned to adopt advanced solutions, including AI-driven risk management tools and integrated GRC platforms. This trend creates opportunities for service providers and vendors to meet the growing demand for innovative GRC solutions. This finding offers a clear call to action: the landscape is shifting, and those who embrace this momentum stand to gain a competitive edge.

Top Finding 8

55% of respondents in 2024 said they use a common controls framework to streamline their GRC processes

Using a common controls framework (CCF) has become a standard best practice, differing from our results in previous years.

How does your organization adapt its cybersecurity and compliance controls to manage regional variances in data security and privacy regulations?

Why this matters

A CCF simplifies compliance by mapping multiple regulatory requirements to a single set of controls, reducing duplicative efforts and making it easier for organizations to stay compliant across different frameworks. This finding highlights the importance of adopting best practices to improve operational efficiency, ensure consistent control implementation, and reduce the complexity of managing overlapping compliance requirements. The increased use of CCFs reflects a maturing GRC landscape where organizations prioritize scalability and resilience, positioning themselves to respond more effectively to evolving regulatory and risk environments.

About this Report

Each year, The 2025 IT Risk and Compliance Benchmark Report takes a deep dive into market trends in the GRC space to help you prepare for the year ahead. This year, we uncovered several surprising gaps between cybersecurity industry ideals and operational compliance realities today. To present the most well-rounded perspective of these findings, we took things one step further: we compared our data against reports from Accenture, BDO, PWC, KPMG, IANS, EY, Deloitte, Coalition, Forrester, and the CISO Society so that compliance officers, CISOs, and compliance professionals can understand how their current methods compare against industry best practices.

Top Finding 1

Only 17% of organizations adhere to country-specific data security/privacy laws despite their growing prevalence

Only 17% of organizations adhere to country-specific data security/privacy laws despite their growing prevalence

Why this matters

This contradicts the assumption that regulatory compliance is a universal priority. Based on this data, most organizations appear to be ignoring localized requirements despite legal obligations.

Top Finding 2

76% of CISOs report that regulatory fragmentation significantly impacts compliance efforts

76% of CISOs report regulatory fragmentation affects compliance, with 17% turning to Adobe's CCF as a potential solution

Why this matters

This challenges the idea that mature organizations have solved cross-jurisdictional compliance, showing even sophisticated programs struggle with regulatory complexity.

Top Finding 3

94.2% of CISOs agree that continuous controls monitoring improves security and compliance, but only 72% have implemented such tools

Security leaders drive adoption of continuous controls monitoring

Why this matters

This gap is primarily caused by budget constraints, legacy technology integration challenges, and organizational resistance to process changes to support automation. The disconnect between aspiration and implementation reflects the larger struggle that CISOs and compliance officers face when transforming theoretical security improvements into operational reality within modern enterprise environments.

Top Finding 4

While 82% of organizations believe they effectively assess control effectiveness, 45% of board directors still seek external validation

Control assessment confidence gap between operations and board

Why this matters

This exposes a fundamental trust gap between technical teams and governance leadership that contradicts claims of aligned security assurance. CISOs believe in the value of these assessments, even when board members don’t.

Access the report

Want to learn more? Unlock the complete 2025 IT Risk and Compliance Benchmark Report for free.

2025 IT Risk and Compliance Benchmark Report
Top Finding 5

52% of audit committees have primary ERM oversight, while 40.4% of organizations lack centralized systems for risk management

Audit committee oversight drives formal risk documentation practices

Why this matters

The absence of centralized risk management systems in over 40% of organizations highlights a governance gap that requires greater cyber literacy among board members to effectively interpret fragmented risk data and make informed oversight decisions in the absence of including cyber risks as part of enterprise risk management.

Top Finding 6

84% of organizations have aligned risk management with compliance, yet only 44.1% report full synchronization

Risk management and compliance show incomplete synchronization

Why this matters

This reveals a significant gap between theoretical alignment and practical integration, challenging claims of mature GRC programs. When only 44.1% of organizations have fully synchronized risk management and compliance, this means the majority of CISOs are essentially operating with partial visibility.

Top Finding 7

53.7% of CISOs report compliance is not embedded in development pipelines, while 15% of organizations lack any automated risk monitoring tools

Compliance integration lags in development pipeline automation

Why this matters

This challenges what vendors are saying about DevSecOps maturity and security-by-design implementation. The disconnect between development pipelines and regulatory requirements creates potential compliance blind spots that increase organizational risk exposure.

Top Finding 8

42% of organizations struggle with data and system silos, creating fragmented risk management approaches

Organizations managing IT risk through siloed departments

Why this matters

This confirms what practitioners have experienced for years. CISOs cannot effectively communicate organizational risk to senior leadership or the board when working with fragmented data sources that tell conflicting or contradictory stories.

Top Finding 9

47.9% of organizations struggle with evidence gathering, while 40% find audit-related tasks tedious and time-consuming

Organizations struggling to gather evidence for compliance processes

Why this matters

This reflects the reality that evidence validation remains a time-consuming, manual process in most organizations. Manual collection can create bottlenecks when subject matter experts must pause security work to provide documentation, and increases the likelihood of human error in evidence collection and submission for audits.

Coming Soon …

Coming Soon …

Get your free copy

Unlock the 2025 IT Risk and Compliance Benchmark Report

Unlock the Full Report