The state of cybersecurity compliance in 2023 – part 1

Coalfire recently released our latest Securealities Compliance Report revealing the major industry trends we’ve been tracking over the past few years. Perhaps the most crucial shift coming to light this year is that the compliance paradigm has arrived at a new state of maturity. In the eyes of executive leadership, compliance programs have evolved from profit-blockers to mission-critical business differentiators vital to new market entry. Enabling business growth through multi-framework certifications is the security team’s new corporate directive, while at the same time (and as always) keeping the bad actors at bay.

In this blog series, we’ll examine the trends and offer guidance for cyber teams looking to gain a competitive advantage with their compliance programs. In this first post, we’ll summarize the top three strategic imperatives driving compliance management decisions: cost, complexity, and automation.

Rising compliance costs

The survey data, compiled by our research partner Omdia, confirms that compliance costs continue to rise. Well over half of enterprise security professionals have seen increases in operational spending.

• 58% of retail, financial services, tech, and healthcare companies report rising compliance costs.
• Over 40% claim 25%+ budget increases since 2020 and expect costs to continue to rise.

As CISOs already know, C-suites and boards demand better efficiencies and better ROSI (return on security investment). Across all industry sectors, gaining speed to market is more critical than ever, and cyber integrity needs to keep up with the corporate mandate to lower costs and increase competitive advantage.

Entering a new market that requires a new compliance credential is always a high-risk business proposition. Failure to launch is costly. Marketing and sales teams can’t afford mistakes or compete with a weak value proposition, and must rely on compliance teams to help build trust by demonstrating compliance with industry-required frameworks.

Leadership wants access to new markets without hiring new staff for every regulatory regime. For CISOs, the key to success is to prepare for new market entry by leveraging multiple frameworks that can scale quickly, on demand, and without breaking the bank.

Increasing complexity of compliance frameworks

With fiscal pressure comes more responsibility, and compliance teams are managing far more framework environments than they were three years ago. Adding to both management and technical complexities, most compliance regulatory bodies are planning major policy and requirement revisions in the near future. The vast majority of those surveyed (77%) are preparing for significant migrations over the next 18 months.

• The mandatory requirements of data protection frameworks impact 84% of those surveyed.
• Nearly 70% of companies surveyed manage at least six frameworks.

Especially for cloud service and SaaS providers, failure to comply with the more stringent cloud security compliance guardrails prescribed by FedRAMP, CMMC, PCI DSS, ISO, and HITRUST – and now the Securities and Exchange Commission updates – will result not only in more corporate liability but personal legal exposure for executives.

With such complicated assessment, testing, and certification regimes, a well-informed platform to manage the explosion of requirements is the solution to the problem of managing multiple frameworks, with automation of technical control review as the icing on the cake. However, despite the rapid evolution from check-the-box compliance programs to continuous deployment, testing, and assurance integration, we’re still in the early days of compliance transformation.

The race to compliance automation

The ability to enter new markets generally conflicts with the capacity to scale operations within various regulatory ecosystems, and most platforms aren’t built for this type of use case. So far, the automation space has developed primarily toward supporting basic needs and single frameworks. The red flag here is that complexity can quickly snowball, and tech-enabled platforms must be comprehensive in their ability to perform in hybrid environments with strong operational resilience.

• 56% of large enterprise security teams now use automation software to manage compliance.
• 64% of $1 billion+ enterprise respondents use automated evidence mapping to manage OpEx in multi-framework environments.

The report warns that automation by itself is not a set-it-and-forget-it magic wand. In the move toward continuous integration and deployment of compliance operations, our survey confirms that the fundamental drivers for cost controls and technology efficiencies still require the traditional skillsets: institutional knowledge, human intelligence, cyber experience, rigorous due diligence, and veteran oversight.

With these market forces in mind, Coalfire announced a significant upgrade to our technology platform, Compliance Essentials, in late 2022. In contrast to Coalfire’s Compliance Essentials platform, designed from the ground up by the industry’s top cyber compliance experts, most compliance automation products today have been designed and built by software developers and marketing folks. If the solution isn’t tuned to the proper levels of detail supporting real-world assessments, many companies can be disappointed in the actual value they’re getting from their platform.

While many platform companies suggest they integrate expert perspectives into their product, in reality, many of those experts only bring their individual perspectives rather than a more robust and complete understanding of each framework and associated nuances. As a result, more than 75% of clients with existing GRC software or other systems in place come to Coalfire in search of a new tech-enabled solution that can solve the growing problems of costs, certification challenges, and barriers to market entry.

Comprehensive compliance transformation

Cost, complexity, and automation are the key areas of compliance management focus. Keeping costs down while complexity goes up is the problem. Automation is the solution. However, a quarter of enterprise security programs haven’t even started planning for the major framework revisions and migrations coming down the pipeline. Some industry sectors are well ahead of the game, but on average, there is still a long way to go from full market adoption.

In the next blog in this series, we’ll explain how to get there. By drilling deeper into the data, we’ll recommend the essential steps to assess enterprise readiness, prepare for transformation, and ultimately achieve competitive advantage through compliance automation.