The State of Cybersecurity Compliance in 2023 – Part 1
Blog Article Published: 10/24/2023
Originally published by Coalfire.
Written by Adam Shnider, EVP, Compliance Services, Coalfire.
- Costs are rising, and many industries, including retail, financial services, tech, and healthcare, report rising compliance costs.
- Evolving framework requirements and revisions are increasing the complexity of managing compliance programs.
- Automation is the key to scaling, however, there is more work to be done for organizations to get the full value out of their automation platforms.
Coalfire recently released their latest Securealities Compliance Report revealing the major industry trends we’ve been tracking over the past few years. Perhaps the most crucial shift coming to light this year is that the compliance paradigm has arrived at a new state of maturity. In the eyes of executive leadership, compliance programs have evolved from profit-blockers to mission-critical business differentiators vital to new market entry. Enabling business growth through multi-framework certifications is the security team’s new corporate directive, while at the same time (and as always) keeping the bad actors at bay.
In this blog series, we’ll examine the trends and offer guidance for cyber teams looking to gain a competitive advantage with their compliance programs. In this first post, we’ll summarize the top three strategic imperatives driving compliance management decisions: cost, complexity, and automation.
Rising compliance costs
The survey data, compiled by our research partner Omdia, confirms that compliance costs continue to rise. Well over half of enterprise security professionals have seen increases in operational spending.
- 58% of retail, financial services, tech, and healthcare companies report rising compliance costs.
- Over 40% claim 25%+ budget increases since 2020 and expect costs to continue to rise.
As CISOs already know, C-suites and boards demand better efficiencies and better ROSI (return on security investment). Across all industry sectors, gaining speed to market is more critical than ever, and cyber integrity needs to keep up with the corporate mandate to lower costs and increase competitive advantage.
Entering a new market that requires a new compliance credential is always a high-risk business proposition. Failure to launch is costly. Marketing and sales teams can’t afford mistakes or compete with a weak value proposition, and must rely on compliance teams to help build trust by demonstrating compliance with industry-required frameworks.
Leadership wants access to new markets without hiring new staff for every regulatory regime. For CISOs, the key to success is to prepare for new market entry by leveraging multiple frameworks that can scale quickly, on demand, and without breaking the bank.
Increasing complexity of compliance frameworks
With fiscal pressure comes more responsibility, and compliance teams are managing far more framework environments than they were three years ago. Adding to both management and technical complexities, most compliance regulatory bodies are planning major policy and requirement revisions in the near future. The vast majority of those surveyed (77%) are preparing for significant migrations over the next 18 months.
- The mandatory requirements of data protection frameworks impact 84% of those surveyed.
- Nearly 70% of companies surveyed manage at least six frameworks.
Especially for cloud service and SaaS providers, failure to comply with the more stringent cloud security compliance guardrails prescribed by FedRAMP, CMMC, PCI DSS, ISO, and HITRUST – and now the Securities and Exchange Commission updates – will result not only in more corporate liability but personal legal exposure for executives.
With such complicated assessment, testing, and certification regimes, a well-informed platform to manage the explosion of requirements is the solution to the problem of managing multiple frameworks, with automation of technical control review as the icing on the cake. However, despite the rapid evolution from check-the-box compliance programs to continuous deployment, testing, and assurance integration, we’re still in the early days of compliance transformation.
The race to compliance automation
The ability to enter new markets generally conflicts with the capacity to scale operations within various regulatory ecosystems, and most platforms aren’t built for this type of use case. So far, the automation space has developed primarily toward supporting basic needs and single frameworks. The red flag here is that complexity can quickly snowball, and tech-enabled platforms must be comprehensive in their ability to perform in hybrid environments with strong operational resilience.
- 56% of large enterprise security teams now use automation software to manage compliance.
- 64% of $1 billion+ enterprise respondents use automated evidence mapping to manage OpEx in multi-framework environments.
The report warns that automation by itself is not a set-it-and-forget-it magic wand. In the move toward continuous integration and deployment of compliance operations, our survey confirms that the fundamental drivers for cost controls and technology efficiencies still require the traditional skillsets: institutional knowledge, human intelligence, cyber experience, rigorous due diligence, and veteran oversight.
Comprehensive compliance transformation
Cost, complexity, and automation are the key areas of compliance management focus. Keeping costs down while complexity goes up is the problem. Automation is the solution. However, a quarter of enterprise security programs haven’t even started planning for the major framework revisions and migrations coming down the pipeline. Some industry sectors are well ahead of the game, but on average, there is still a long way to go from full market adoption.
Trending This Week
#1 What are the Most Common Cloud Computing Service Delivery Models?
#2 Zero Trust and AI: Better Together
#3 Top Threat #2 to Cloud Computing: Insecure Interfaces and APIs
#4 101 Guide on Cloud Security Architecture for Enterprises
#5 Demystifying Secure Architecture Review of Generative AI-Based Products and Services
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.