A survey with 235 North American organizations as participants, projects that 87% of respondents adhere to some framework of cybersecurity compliance, but only 24% of the organizations devote a full-time position to this responsibility. This represents a significant challenge for companies driving the numerous and complex frameworks available to them.
Some companies foresee fines for failure and so build these fines into their cybersecurity budgets. This is very unfortunate as it will consume the part of the budget that could have been used in fixing problems or hiring somebody to help.
The biggest compliance obstacles for companies now are budgetary constraints and lack of dedicated staff to cyber risks. Cybersecurity efforts are surprisingly under-resourced, with 60% of respondents saying they spend less than 10% of budgets on compliance and risk governance.
A challenge for organizations is to reassess their security programs, but if done properly, they would benefit from doing so. Instead of seeing regulatory compliance as the end goal, organizations should treat compliance as a foundational approach to build the security structure.
Concisely, organizations should always be re-evaluating their methods. Organizations should run gap assessments to identify instances of non-compliance, then rectify those weak spots before they result in fines or compliance failures.
About one-fifth of survey respondents said they are unsure why they follow their current compliance standards, clearly highlighting the danger of a “business-as-usual mindset.” It is a continual journey of improvements. Organizations with existing security programs that meet compliance obligations may suffer from an overly static approach. As organizations grow and compliance risks evolve, so must the approaches that these organizations take for compliance.
It is necessary for companies to continue to try and meet the demands of the ever-changing cyber risks.