Today’s digitally enabled business sectors are more connected than ever, with information flowing constantly and seamlessly across internal systems, customer devices, third-party vendors, cloud-based services and more. Sometimes called the “extended enterprise,” this dynamic massively expands an organization’s traditional footprint – and has the potential to massively increase its exposure to scores of information and compliance risks.
As this dynamic continues to define modern enterprise, NAVEX surveyed over 1,300 risk and compliance (R&C) professionals across the globe in 2023 in order to better understand their priorities and programs. Not surprisingly, among our key findings covered in the resulting NAVEX State of Risk & Compliance Report (formerly known as the Definitive Risk and Compliance Benchmark Report) was evidence of a clear and strengthening interdependence between Compliance, Data Privacy and Information Security (InfoSec).
How are data and cyber risks impacting compliance programs?
Survey data show respondents citing InfoSec as the most prolific compliance issue actually occurring at their organizations. Three in 10 respondents to this year’s survey said their organization experienced a data privacy/cybersecurity breach in the past three years, followed by a substantial margin by the 21% that said their organization faced regulatory or stakeholder demand for ESG transparency and reporting. The 30% indicating an InfoSec issue was up from 22% in the prior year.
While respondents were not asked to describe the severity of impact for a given compliance issue, a casual search of news coverage reveals countless anecdotes where a cyber breach resulted in substantial harm to an organization’s operations and reputation. Regulators are also paying closer attention to company InfoSec practices, putting these issues squarely in the realm of Compliance.
These findings suggest compliance professionals – perhaps in the realms of Human Resources, Legal or other non-IT silos – could be spending a lot of their time fretting over unfamiliar concepts like multi-factor authentication and zero-trust security architecture. This may not be a recipe for success at many organizations, making it all the more important for InfoSec to have a seat at the table and speak the same language of risk across other functional areas.
So, what is the state of collaboration between Compliance and InfoSec? Fewer than half of respondents (42%) said the relationship between Compliance and InfoSec was strong. The same share described the relationship as periodic, specific to IT security compliance and requirements for risk management. Around one-tenth said the functions had little to no relationship. It’s encouraging to see some respondents citing a strong collaboration between these functions, but the modern risk and compliance landscape will only necessitate those roles come into closer alignment in the future.
It does appear organizations are thought to consider InfoSec as a critically important risk, suggesting a likelihood that senior leaders would support the kind of cultural and operational changes that could bring Compliance and InfoSec into closer alignment. Organizations as a whole view InfoSec as the most important risk management area, according to respondents, with 53% citing data privacy and 52% citing IT/information security risk as “absolutely essential.” Only 38% said the same for operational risk, which ranked third on the list – a significant margin. It’s worth noting that respondents by and large said various compliance risks were at least “important” to their organization, but the focus on InfoSec at the most intense end of the spectrum could be seen as an indicator of urgency on part of the mindset of organizations.
What is Compliance doing to address these shifts?
Given the rise of cited InfoSec issues, it may come as no surprise that cybersecurity and data privacy were two of the top-three compliance topics respondents said their organization planned to train on in the next two-to-three years. Sixty percent said they planned cybersecurity training, followed closely by 57% planning data privacy training. Rounding out the top three was ethics and code of conduct training – an area more aligned to the traditional focus of Compliance.
The rise of remote and hybrid work models stands to make this planned training more complicated, exemplifying the benefit of collaboration between Compliance and InfoSec. Consider telemedicine – are physicians employing appropriate practices both in their physical workspace and InfoSec practices to ensure patient privacy is protected? A strong relationship between Compliance and InfoSec could help ensure training fully addresses risks for these new working environments.
As with other aspects of the 2023 State of Risk & Compliance report, these findings can provide R&C professionals a reference to compare how they feel about their own programs. Yet they also provide valuable talking points for gaining buy-in from decision-makers elsewhere in the organization. To see that InfoSec sits in such a prominent place for both the issue’s R&C professionals face and the priorities of their programs is a clear signal that Compliance and InfoSec are converging even more closely. This is a trend R&C professionals should strive to support.
Ready to learn more?
Ready to learn more about the State of Risk & Compliance? Great – we have you covered with the complete report, full of other findings and data points to shed light on all aspects of compliance program performance. For the full report: