Purchasing Pattern Trends in GRC: Where Budgets and Time Are Spent in 2023
In a volatile economic climate, you may be curious about how purchase patterns are changing in the GRC space. In December 2022, Hyperproof surveyed over 1,000 industry professionals regarding their spending patterns and overall compliance and risk operations. You can find the full report here and dive into the pain points and trends for 2023.
The survey uncovered some surprising results: changes in the market are resulting in an increase in budgets and an increase in purchase patterns within the governance, risk, and compliance (GRC) space. Budgets are actually increasing despite the current market conditions, emphasizing the importance respondents place on compliance and risk management.
Here’s what the data showed:
Where are budgets going?
29% of respondents’ budgets went toward GRC tools, 265% to compliance audits, 22% to outsourcing and consultant work, and 24% to staff. Respondents plan on allocating the largest proportion of spend toward purchasing GRC tools in 2023.
Finding and eliminating inefficiencies to make compliance and risk management more streamlined aligns with the current trend.By focusing on technology, industry leaders are working to make everyday tasks and processes their teams face simpler, reducing fatigue and burnout from tedious — and often complex — manual work. This emphasis on GRC tools also highlights the need for the profession to move toward effective and unified compliance and risk management processes.
Understanding how your peer organizations are spending can help you advocate for the right resourcing for your organization so you can have the right amount of staffing and the correct tools to support your team.
Looking for ways to justify an increase in budget? We’ve compiled a compelling list of reasons why in this blog.
Are respondents planning on spending more time and money on IT risk management?
57% of respondents anticipate spending more time on IT risk management in 2023. But, due to stress, 32% said they would postpone adding additional compliance frameworks and/or certifications due to lack of capacity to take on new work. Both time and money has increased since 2022 as well.
These numbers show that — despite volatile market conditions — there is an emphasis placed on the importance of compliance and IT risk management activities, even in 2023. The increase in time and money shows that more and more resources are needed to keep up with the current trends in security, especially as the number of cyber attacks continue to increase.
In 2023, 63% of companies are planning to spend more money on compliance and risk. The average estimated percent increase in budgets for GRC platforms in the next 12 to 24 months is 25% — with 76% expecting to increase spend by at least 10%. On the other hand, 13% said they would reduce spending — with 3% saying they will spend “a lot less money” on IT risk management and compliance operations in 2023.
This lack of capacity is dangerous, especially as cyber attacks continue to increase in number and severity. In fact, 42% of those surveyed said they experienced a breach in the last 24 months — a startling statistic as our research only captured a small percentage of the IT compliance and risk management landscape. Compliance managers need to identify ways in which they can tackle their manual administrative burden so they can focus on what matters most: protecting the company and their employees.
As compliance professionals spend time performing manual tasks, the need for technology to improve their processes increases. Whether that’s automating evidence collection or further operationalizing control assessments, there are options out there to help simplify and streamline the compliance process for industry professionals.
Additionally, the cost of compliance isn’t cheap. In fact, it’s an industry valued at 47,223.0 million — and growing. That’s why we measure these benchmarks each year — so you can understand how you stack up against the market. Whether you’re using these statistics to justify an increase in your GRC budget or you’re examining how your peers tackle the same problems, these metrics are valuable to have on hand when planning for the future of your business and its compliance program.
What’s driving spend increase?
The largest drivers of spend increase were growth in cloud footprint (47%), an increase in number of applicable/required regulations (45%), greater regulatory scrutiny/enforcement (45%), and growth in number of third-parties that touch corporate/customer data (45%).
At the lower end of the spectrum, we found the least likely drivers to be business expansion/customer’s need for assurance (43%), a deeper understanding of a company’s risks (39%), and changes to regulations (regulatory volatility) (38%).
As growth in cloud footprint continues to grow, the threat of third-party risk continues to increase. Vendors need to access essential parts of your corporate or consumer data to provide the promised goods and services, and this isn’t going to change anytime soon. Therefore, third-party risk persists as a major issue in the compliance space, but there are best practices you can follow to protect your business from breaches.
Some of these best practices include establishing a framework and defining process for assessing third-party risk, basing your vendor risk management program on industry standards, developing structured on- and off-boarding procedures, and keeping up with your plan once it’s in place. That way your vendor risk can more easily be mitigated, as you have the correct processes in place to protect your business.
How much do data breaches cost respondents?
Whether they’re in the news or top-of-mind for you and your team, data breaches are becoming more and more ubiquitous. There were 1,802 known breaches in 2022, impacting 422.14 million people. In our survey alone, 42% of respondents experienced some kind of breach in the prior 24 months.
In our 2022 and 2023 reports, respondents most frequently reported losing between $1M-$5M via a data breach. Companies with greater than 2,500 employees were more likely to incur $5M-$20M in losses via data breaches. Smaller companies with less than 2,500 employees were more likely to incur $100k-$1M.
In addition to these statistics, we also found that companies are still managing compliance and risk inside of data silos. Risk and compliance silos resulted in more breaches: we found that 1 in 2 companies managing risk ad-hoc or in siloed departments experienced a breach in 2022. The importance of unifying risk and compliance can not be undervalued, especially as our data shows. And, the inherent risk of data breaches is only increasing each day.
The impact of data breaches on smaller companies is substantial — losing up to $1M in a data breach indicates that smaller companies are more highly impacted by breaches than larger companies. Meanwhile, large companies are becoming the more likely targets of breaches due to their often antiquated systems and larger bank account balances. Overall, larger companies may sustain more substantial losses, but the impact on smaller companies is more impactful as they often do not have the same funding and infrastructure as large companies.
Time and Cost of Compliance Continues to Grow
If your budget is increasing despite current market conditions, you’re not alone. Now that you have a baseline understanding of how your peers are allocating their budgets this year, you can take steps to help align your budget with that of the industry’s standards. And if you’re still struggling to determine what your budget is, use this research as a guideline when communicating with stakeholders.
The cost of manual, administrative tasks is growing with each year, and compliance managers need to free up time to focus on maintaining continuous compliance and mitigating risks. As a result, the use of technology in the risk and compliance discipline will only continue to grow — which is demonstrated by the increase in budget for GRC tools.
As the risk of cyber attacks and breaches increases, the importance of uniting your risk and compliance activities is of the utmost value. Along with these risks, third-parties are continuing to access your business data, which is causing some complicated security vulnerabilities for companies that rapidly expanded their cloud landscape in the last few years. It’s vital to approach vendor and third-party risk management even more carefully than before.
By taking these benchmarks into consideration, you can prepare your organization for better protection and you understand how and why your peers are spending their time and money.
Get the Latest on Compliance Operations.
Courtney is a marketing specialist with over five years of experience with telling compelling stories in accessible ways for SaaS readers. She is passionate about keeping up with the latest and greatest cybersecurity news. In her spare time, you'll find Courtney reading and writing about mental health, music, and art.