RegScale

More than one-third of organisations (34.2%) hope to achieve their KPIs for compliance benchmarks by incentivizing success or by penalizing failure, or by implementing both incentives and penalties.

69.7% of CISOs said cost is most important when selecting tools/vendors to provide governance and continuous controls monitoring.

Over a billion credentials were stolen in malware attacks within a 12-month period.

Stolen credentials are involved in nearly half (44%) of all data breaches.

Of the 1.8 million breached administrator credentials, 40,000 admin portal accounts had the password ‘admin’.

53.2% of CISOs take note of their organisation's regulatory requirements.

Roughly 50% of CISOs expect automation to optimize compliance through a single pane of glass.

50% of CISOs said that, on an annual basis, they spend more than $200,000 worth of capital and dedicated staff resources to achieve and maintain compliance across their organisation.

46.2% of organisations said they don’t have a sufficient budget to invest in GRC tools.

Roughly two-fifths of CISOs are challenged by evidence gathering (41.5%) as a challenge in satisfying regulatory requirements.

13.7% of CISOs said their compliance program is a 1 (“Initial: ad-hoc”), and 23% said their program is a 2 (“Established: documented and repeatable”).

More than a third (37.8% of CISOs) said their relationship between compliance and security is in a phase of simple negotiations.

25.5% of CISOs assume current GRC processes are not broken.

66.7% of education businesses are challenged by audit readiness and their maturing compliance program.

230 million of the breached passwords met standard complexity requirements, including length, capitalisation, numbers and special characters.

30% of CISOs spend less than $100,000 annually on compliance.

Most organisations (57.9%) spend at least some of their budget on GRC tools to collect and maintain compliance evidence.

Almost half of the CISOs who rated their compliance programs a 1 or 2 attributed their difficulties to a lack of personnel or resources.

Of the organisations that measure the operational cost of managing compliance, 10.1% track IT costs.

76.1% of CISOs said integrations are most important when selecting tools/vendors to provide governance and continuous controls monitoring.

44.2% of CISOs consider security and compliance a business enabler.

40.4% of CISOs are challenged by the lack of a centralized system as a challenge in satisfying regulatory requirements.

Almost one-third (31.1% of CISOs) believe that their company’s resistance to change is primarily driven by financial matters.

26.1% of CISOs cited the rate of regulatory change as a challenge in implementing new or updated compliance frameworks.

43.6% of CISOs cited control mapping as a challenge in implementing new or updated compliance frameworks.

38.5% of CISOs said GRC tools are too expensive.

17.6% of CISOs believe that manual processes are easier than using Compliance as Code.

Just over 13% of CISOs are looking to technology to help solve their problems and have started to adopt or have plans to adopt Compliance as Code (OSCAL or OCSF).

35% of CISOs said that, on a scale of 1 to 5, they would rate their compliance program a 3 (“Defined: early-enterprise, standardized and structured”).

53.7% of CISOs stated that compliance is not embedded into their CI/CD pipeline.

20% of CISOs spend between $100,000 and $200,000 annually on compliance.

Just over a quarter (26.4%) of CISOs said that compliance has been embedded into 26-50 percent of their pipeline, while 27.4% have embedded compliance in as much as 75 percent of their pipeline.

Less than one-sixth (14.2%) of CISOs have embedded compliance into the majority (76-100 percent) of their pipeline.

Less than half of the respondents (44.1% of CISOs) described the relationship between compliance and security as completely synchronized.

One-third (33% of CISOs) see an opportunity to supercharge staff through automation.

Almost one in ten (9.6% of CISOs) said their relationship between compliance and security is in a period of complex negotiations while 8.5% said their relationship is out of sync.

Roughly one-sixth (15.8% of CISOs) endure quite a bit of duplication and 37.4% have some duplication in their compliance efforts.

Only a fifth (20.5% of CISOs) said they have very little duplication in their compliance efforts.

Roughly half of CISOs (47.9%) cited evidence gathering as one of their greatest challenges in implementing new or updated compliance frameworks.

53.7% of CISOs pointed to skilled staff as a major challenge in implementing new or updated compliance frameworks.

38.3% of CISOs cited cost as a challenge in implementing new or updated compliance frameworks.

33.5% of CISOs cited audit management as a challenge in implementing new or updated compliance frameworks.

Many CISOs (51.6%) were impacted by their maturing compliance program as a challenge in satisfying regulatory requirements.

Nearly as many (46.3% of CISOs) think the technology will allow them to more rapidly apply governance.

Just over a quarter (27.7% of CISOs) think that automation will improve the ROI on existing tools.

Almost two thirds of organisations (63.7%) do not feel that meeting new regulatory requirements slow their organisational growth.

34.6% of CISOs are challenged by regulatory change management in satisfying regulatory requirements.

Roughly 22.6% of CISOs rate their compliance program a 4 (“Adherence: measured with metrics to support audit and risk mitigation”), but only 5.3% believe their program is a 5 (“Optimized: continuous improvement and efficiency”).

More than one-third (37.2% of CISOs) said that no platform has demonstrated its reliability for Compliance as Code.

Just 17.9% of CISOs are using GenAI tools within their compliance program.