Adherence to regulatory compliance standards such as HIPAA and PCI is critical in an era of heightened cyber risk. A new report by Arctic Wolf shows that while software supply chain compromises have tripled in the last year, it remains a challenge for many companies to identify the compliance rules they must follow, implement the appropriate controls, and devote sufficient resources to adopting security and compliance frameworks.
Arctic Wolf, which offers security monitoring services, surveyed 235 North American organizations for its report, “The State of Compliance: 2022 Trends.” The report found that 87% of respondents adhere to some framework of cybersecurity compliance, but only 24% of the organizations devote a full-time position to this responsibility.
This represents a significant challenge for companies navigating the numerous and complex frameworks available to them, said Arctic Wolf field CTO Christopher Fielder.
Anecdotally, Fielder said, some companies anticipate fines for failure and so build these fines into their cybersecurity budgets. “That’s very unfortunate,” Fielder noted. “That's going to eat the part of your budget that you maybe could apply to fixing the problems or hiring somebody to [help].”
Budget Constraints and Insufficient Headcount
The biggest compliance hurdles for companies now are budgetary constraints and lack of staff devoted to cyber risk, Fielder said. The report shows just how under-resourced cybersecurity efforts can be, with 60% of respondents saying they spend less than 10% of budgets on compliance and risk governance.
Fielder acknowledged that it’s difficult for organizations to reassess their security programs, but he asserted that they would benefit from doing so. Instead of seeing regulatory compliance as an end goal, Fielder urges organizations to treat compliance as “a foundational approach to then build your security posture off of.”
To that end, organizations should always be reassessing their methods. Fielder recommended that organizations run gap assessments to identify instances of non-compliance, then remediate those weak spots before they result in fines or compliance failures.
A Continual Journey of Improvement
Nearly one-fifth of survey respondents said they are unsure why they follow their current compliance standards, highlighting what Fielder called the danger of a “business-as-usual mindset.”
Even organizations with security programs that meet compliance obligations may suffer from an overly static approach. As threats evolve and organizations grow, so must the approaches these organizations take to compliance.
The Arctic Wolf report indicated that most companies will continue to try to meet the demands of ever-changing cyber risks. Ninety-seven percent of organizations plan to spend the same or more on their compliance programs in the next year.