Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.
The large amount of time and expense devoted to compliance is problematic. While compliance is an important and necessary part of overall cyber governance, much more important is cyber performance: are technology risks being well-managed or poorly managed?
The survey results also point to what Cyberhedge refers to as the ‘Cybersecurity Trilemma’. Companies can choose to invest in two of the three of 1. increasing growth, 2. cutting costs, or 3. improving cybersecurity, but not all three. Many companies that are spending a significant percentage of their IT security budget on compliance have in all likelihood chosen ‘increasing growth’ and ‘cutting costs’ over ‘cybersecurity’, and the high percentage of compliance spend by these companies suggests that they are underinvesting in their actual security.
Companies that are mostly focused on compliance while underperforming on cyber governance are risking significant shareholder value loss. COVID‑19 disruptions have increased the challenges faced by these companies, which were already behind the curve in effectively protecting their digital assets. Some are also under even greater budgetary pressure to cut costs in response to the pandemic and do not have the necessary resources to improve their performance and lower the downside financial risks due to poor cyber.
Furthermore, shareholders are in the dark about much of this, as corporate disclosures on cyber are inadequate. In addition, improving cybersecurity and proactive risk management requires shifting away from ‘moment in time’ assessments and towards continuous monitoring offered by companies like Mandiant Security Validation.