Each year, Hyperproof conducts our IT Compliance and Risk Benchmark Survey to uncover the top challenges IT compliance professionals face and what issues they are focused on in the coming year. We asked over 1,000 survey respondents about their pain points, IT risk and compliance budgets, staffing, risk management best practices, and much more to provide an in-depth view of the market’s current state and what to prepare for this year. (By the way, you can download the full report here to take a deep dive into the latest compliance trends for 2023!)
One of the most striking findings that came out of this year’s report was that companies operating with their risk management and compliance operations data in silos experienced a higher frequency of breaches. Let’s dig into the data:
Risk Management Confidence Remains High, but Data Silos Persist
First, let’s start with risk. When surveyed, respondents said they took risk management seriously and kept it top-of-mind, with 93% of respondents feeling that they’ve done well in identifying and assessing risks. IT risk assessments were also a high priority. 56% of InfoSec professionals are conducting annual security risk assessments, and 27% are conducting biannual assessments. Unsurprisingly, mature companies that had more employees and a longer business tenure were prone to conduct assessments twice a year, likely due to the size and complexity of their security compliance programs.
However, although respondents grasp the importance of risk management, their processes for managing IT risks lag behind their intentions. Despite this overwhelming confidence respondents have about identifying and assessing risks, 51% said they struggle with identifying where the critical risks are to assess what remediations to prioritize. 30% of respondents said their process to identify controls that can mitigate risks does not meet their company’s objectives, and 39% of all respondents said they struggle with finding risk-related information when they need it.
So, why are respondents so confident in their ability to address risks but still struggling to identify risk-related critical tasks? Identifying and prioritizing critical risks is considered, by far, the most time-consuming activity related to managing security and data privacy risks. This problem is at least partially caused by respondents not having the right data at their fingertips. Additionally, 38% of respondents admitted that they switch between multiple systems throughout the risk management process and that they have separate places for risk assessments vs. tracking remediation efforts, such as multiple spreadsheets containing risk assessment results or multiple platforms tracking risk.
So, what does this mean? Why is confidence in addressing risk so high when the results don’t align with all these processes in place? Our data shows that because risk management and compliance operations activities are still operating in silos, organizations are struggling to unify compliance and risk, causing problems for risk remediation. In fact, 90% of surveyed organizations are managing risks and their compliance program in silos, which we will discuss more in detail later in this article.
Risk and Compliance Data Silos Led to More Breaches
Although risk and compliance continues to operate in silos, respondents recognize the benefits of changing this reality. 57% of respondents said that having a solid compliance program helps them mitigate risks, even though risk management and compliance activities are typically conducted in response to separate events. Only 10% of respondents have an integrated view on how to manage their unique set of risks and have aligned their risk and compliance activities, and organizations that managed risk in an ad-hoc manner or only when a negative event happened were more likely to experience a breach.
Let’s break these metrics down a little more:
Managing risk ad-hoc or in siloed departments had negative impacts on those surveyed: we found that 1 in 2 companies managing risk ad-hoc or in siloed departments experienced a breach in 2022. Parsing this number further, we saw that 61% of companies that characterized their risk management approach as “ad-hoc” experienced a breach, and 46% of those managing risk in siloed departments experienced a breach.
In contrast, only 36% of companies with an integrated approach and manual tools experienced a breach. Additionally, only 30% of companies with an integrated approach and automated tools experienced breaches.
The takeaway? Companies that unified their risk and compliance operations did not suffer the same frequency of breaches, indicating that operating in silos opens companies up to vulnerabilities.
The takeaway? Companies that unified their risk and compliance operations did not suffer the same frequency of breaches, indicating that operating in silos opens companies up to vulnerabilities.
Risk and Compliance Data Silos Made KRIs and KPIs Harder to Establish
Notably, 29% of respondents do not have established KRIs linked to their KPIs for any identified high or critical risks, indicating that risk and compliance could still be operating in silos, or respondents haven’t figured out how to measure meaningful changes to risk level. Unifying risk and compliance efforts can help solve each of these pervasive challenges. 68% of respondents using integrated tools with both manual and automated processes did not experience a breach in 2022, and 72% of respondents who have tied their risk and compliance activities together did not experience a breach.
31% of respondents said they manage IT risk in siloed departments, processes, and tools, followed by 24% that manage IT risk in an integrated approach where their processes are mostly automated. These numbers are striking; while respondents clearly see the value in unifying risk management and compliance operations, the overwhelming majority of those surveyed aren’t following this best practice. Even the most powerful IT risk management tools can under-deliver when key processes haven’t been established.
Risk and Compliance Data Silos Led to an Increase in Time-Consuming Manual Processes
Managing risk and compliance in silos was time-consuming for respondents. The average respondent said 38% of their time is spent on administrative tasks — about the same as 2022, where the mean was 39%. 85% of all respondents said their risk and compliance management team spends at least 1/3 or more of their time at work on repetitive tasks. Automating administrative tasks could reduce the burden of manual processes for security, compliance, and risk managers.
So, how could companies go about addressing risk management and compliance operations more holistically? Namely, they could reimagine the process by focusing more on macro strategies by identifying the overlaps between their risk management and compliance activities to streamline their processes.
The Benefits of Unifying Risk and Compliance Data
Taking an integrated approach to risk and compliance operations allows organizations to focus on their unique set of risks while avoiding duplicate activities across their risk and compliance management processes. Organizations that take this approach typically start the risk management process with conducting a risk assessment. From there, they create security policies and implement internal controls tailored to the results of their risk assessment. This allows for greater alignment throughout the organization by allowing for input from all stakeholders, not just a select few. And, it helps create a compliance program that integrates directly with risk operations.
When we conducted our survey, we wanted to see whether companies that take an integrated approach to GRC achieved significantly better outcomes from a security standpoint and business performance perspective compared to organizations that still view compliance as a separate, policing function. We found strong evidence that organizations taking an integrated approach have better security posture than their counterparts who view compliance solely as the function that enforces rules and regulations:
- On average, organizations that take an integrated approach to risk management experienced security breaches less often than those who view their compliance function as the enforcer of rules.
- As a group, organizations that take an integrated approach spend less time on repetitive and administrative tasks compared to those who believe the compliance function’s purpose is to enforce the rules.
Want to learn more? Download the 2023 IT Compliance and Risk Benchmark Report!
Monthly Newsletter
Get the Latest on Compliance Operations.
