UK survey reports 51 percent of companies spend at least 40 percent of their IT security budget on compliance


Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.



The large amount of time and expense devoted to compliance is problematic. While compliance is an important and necessary part of overall cyber governance, much more important is cyber performance: are technology risks being well-managed or poorly managed?

The survey results also point to what Cyberhedge refers to as the ‘Cybersecurity Trilemma’. Companies can choose to invest in two of the three of 1. increasing growth, 2. cutting costs, or 3. improving cybersecurity, but not all three. Many companies that are spending a significant percentage of their IT security budget on compliance have in all likelihood chosen ‘increasing growth’ and ‘cutting costs’ over ‘cybersecurity’, and the high percentage of compliance spend by these companies suggests that they are underinvesting in their actual security.

Companies that are mostly focused on compliance while underperforming on cyber governance are risking significant shareholder value loss. COVID‑19 disruptions have increased the challenges faced by these companies, which were already behind the curve in effectively protecting their digital assets. Some are also under even greater budgetary pressure to cut costs in response to the pandemic and do not have the necessary resources to improve their performance and lower the downside financial risks due to poor cyber.

Furthermore, shareholders are in the dark about much of this, as corporate disclosures on cyber are inadequate. In addition, improving cybersecurity and proactive risk management requires shifting away from ‘moment in time’ assessments and towards continuous monitoring offered by companies like Mandiant Security Validation.

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website