KnowBe4, provider of security awareness training and simulated phishing platform, announced that it released a research report on compliance management. The research surveyed 1,872 cybersecurity professionals and is timely, as these practitioners are navigating changing compliance standards like GDPR, which launched last week.
Key findings from the report include:
- The penalties associated with a failure to comply with the various regulations to which organizations are subject can be significant (such as GDPR’s up to €20 million or 4 percent of annual global revenue) and can create a variety of both financial and nonfinancial consequences.
- Most organizations must track a significant number of internal controls and business processes in order to become compliant with the various regulations and regulatory frameworks to which they are subject.
- The vast majority of organizations surveyed go through at least two internal and/or external audits each year, but more than 15 percent go through six or more such audits each year.
- Nearly two-thirds of the organizations surveyed are using spreadsheets to manage their compliance process, but the use of spreadsheets is an inefficient way to manage the compliance—and audit—related tasks for all but the smallest organizations.
- Most organizations have either not evaluated compliance (42 percent) and audit management products or have done so in the past (forty percent), but 51 percent are interested in the use of SaaS-based applications that would reduce the time required to satisfy their compliance goals, and that would significantly reduce the costs associated with compliance management.
- The research found that most organizations maintain a significant number of published Policies, one-third of the organizations surveyed maintain more than 25 published policies, and more than two-thirds maintain more than five.
The report notes one of the problems with managing so many compliance policies is that the management problem is not linear. Because there are interrelationships between policies, such as managing the same data sets in different ways, managing 10 different compliance policies is more than twice as difficult and complex as managing just five.
Consequently, the growing number of compliance policies that organizations must address means either that a growing share of IT resources must be devoted to managing these policies, or that new ways of compliance management must be found.