Understanding the risk and compliance landscape

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/11/26/understanding-the-risk-and-compliance-landscape/

The world of regulatory compliance is always evolving, with requirements
constantly multiplying. At the same time, many IT departments are seeing
their budgets frozen or cut, presenting significant challenges in terms of
managing GRC processes and maintaining data security. With manual,
spreadsheet-based processes still common in the enterprise, it is becoming
increasingly difficult for businesses to have an overview of their various
compliance requirements and ensure that they continue to meet standards.

Earlier this year we conducted a survey of 130 IT and security
professionals based in the UK. Respondents came from companies of various
sizes and from a wide range of industry sectors, with all of them having
responsibility for governance and compliance. They worked for companies
ranging in size from less than 10 UK employees to more than 5000, and in a
variety of sectors including technology, government, banking and energy.

The aim of the survey was to gather data on current trends and attitudes in
risk and compliance, covering issues such as budgets, data breaches, the
most common standards that businesses have to meet, the priority that
management places on risk and compliance and the systems organisations have
in place. Let’s take a look at the key findings.

A high priority with restricted budgets

The survey participants were asked to rate the priority that their IT
department and senior management place on risk and compliance from 0 to 10,
with 0 being least critical and 10 being most critical. 72 per cent gave
their IT department a score of 7 or above, with the figure only slightly
less (70 per cent) for senior management. Around a quarter of respondents
awarded full marks.

But despite it being seen as a high priority, it seems that this is not
being reflected in organisations’ budgets for compliance activity.
Respondents were asked how the budget had changed over the past 12 months,
and 53 per cent said that it had decreased or remained the same. A further
16 per cent did not know, leaving only 31 per cent who had seen their
compliance budgets increase over the last year.

This illustrates a major pain point that exists in many organisations, that
while their compliance burden is growing they are being asked to do more
with less. This is creating a knock on effect for IT teams, causing many to
resort to rudimentary methods to monitor risk and compliance, which simply
aren’t as effective.

Manual processes remain prevalent

This is perhaps most obvious when looking at the processes organisations
rely on for managing their compliance. We asked respondents questions
regarding the systems that their organisation had in place for compliance
and risk management. 39 per cent said their organisation had a manual,
spreadsheet-based process for risk management, while 37 per cent had a
similar process for compliance management. A further 22 per cent said that
their organisation had no system in place for risk management, or did not
know, which rose to 28 per cent for compliance management.

19 per cent of those surveyed admitted that their organisation does not
carry out an annual risk assessment of IT, and a further 3 per cent did not
know. Interestingly, 61 per cent of them also had no system in place for
compliance management, while half did not have a system for risk management.

These challenges can be quickly overcome by automating processes. This
makes it easier for companies to get a clear view of their compliance and
risk profile from a business perspective, helping to minimise their
exposure to risks while saving IT teams both time and costs. This quickly
realises key strategic and operational benefits, and provides a solid
foundation for future business planning.

The security threat

Cyber-attacks present a growing threat to all types of organisations. The
survey participants were asked if their organisation had suffered a
security incident that had led to a data breach in the past 12 months, with
the results showing that over a quarter (27 per cent) had. There was also a
correlation between those who had experienced data breaches and the types
of processes they have in place, with 55 per cent of them having manual
processes for risk management and 48 per cent having manual compliance
management systems. The most common type of breach was an accidental
internal breach, followed by a malware infection.

The growing compliance burden

Business compliance requirements are growing, and it is becoming
progressively more challenging for organisations to have an overview of
their risk and compliance status across the business – especially when they
are relying on manual, paper-based processes to do so.

The results of the survey highlight the breadth of compliance requirements
that organisations currently face. Only 31 per cent of respondents had no
or only one compliance standard that they must meet, while 9 per cent had
more than three. The most common compliance standards identified were ISO
27000 (49 per cent), PCI (39 per cent) and ISO 9000 (20 per cent).

With IT departments seeing their compliance budgets cut in real terms,
businesses run the risk of falling short of compliance standards, incurring
penalties and even suffering data loss incidents. Until organisations start
to provide IT teams with budgets that match the priority of risk and
compliance within the business, they will face an increasingly difficult
battle to remain compliant, reduce risk and stay breach-free.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!