Most enterprises feel they are doing a good job keeping up with new regulatory compliance requirements, but they in fact admit they face difficult challenges managing compliance, according to a survey conducted by GRC firm Lockpath. More than three-quarters of the companies said they had taken on new regulatory obligations in the past year and almost all said they did at least an average job keeping up, with nearly half characterizing their performance as above average or excellent.
However, the survey data suggests that compliance comes at a cost in management challenges. The companies reported significant difficulties in five key compliance management tasks:
- Getting one consolidated view of risks: 39% said this is extremely challenging, and more than half somewhat challenging.
- Staying on top of new regulations: Despite the overall statement that they felt they were doing well, nearly nine of 10 respondents call this task extremely or somewhat challenging.
- Exposing and remediating threats and vulnerabilities quickly: Also, nine out of 10 found this challenging
- Assigning ownership to compliance-related tasks and monitoring: One would think this would be well-defined, but half the companies find this somewhat challenging, and 18% extremely challenging.
- Preparing for audits: Seven in 10 companies find audit preparation somewhat challenging, only 6% extremely challenging, suggesting that companies have made some progress standardizing their audit operations but still have work to do.
The survey included 175 U.S. compliance and risk practitioners, about three-quarters of them from companies with 1,000 or more employees.
One of the more startling findings was that exactly two-thirds of the responding companies do not track costs associated with compliance. This probably indicates a lack of standard, centralized compliance processes with attendant lack of accountability at the corporate level. Many corporate compliance programs, or lack thereof, are notable for disparate, redundant efforts rather than a unified approach that maps controls to regulatory requirements across regulations, reducing waste and minimizing “audit fatigue.”
More than half say they have no way for executives to view reports, and more than three-fifths say they have no way to ensure that partners and vendors are in compliance, leaving a significant gap from both compliance and security perspectives.
Four of five respondents consider the ability to consolidate, centralize and mine business-critical risk and compliance data the most important feature of a compliance tool, but nearly half say their current tools/processes are not adequate for this task. Nearly three-quarters of the companies have some sort of risk-compliance products, in place, but a third of these are home grown. This type of in-house solution is often highly manual, inefficient and error prone. Lockpath, a fairly new company, is one of a number of vendors who offer IT GRC products (others include Agiliance, Modulo, RSA Archer, Rsam and Symantec) that offer products to centralize and automate the gathering, analysis of compliance and risk data from tools and assets across the enterprise, automate workflows and facilitate audit and reporting.