According to the State of Continuous Controls Monitoring (CCM) Report, over half of CISOs (51.6%) still struggle to meet their governance, risk, and compliance (GRC) goals. As security leaders navigate increasingly complex technology environments, compliance with new and existing regulations remains a significant challenge.
The report reveals a critical insight: while most CISOs see automation as a key opportunity to reduce manual processes, few are leveraging AI-powered tools in their compliance programs. This gap highlights the urgent need for modernization in compliance strategies. But are CISOs ready to transform their compliance programs?
Automation is essential
While GRC is undeniably challenging, automation promises hope for overburdened CISOs. Indeed, nearly 80% of CISOs recognize automation as an important opportunity to reduce manual processes in their compliance and risk management programs. What they expect from that automation varies, however. Just over half (51.1%) expect automation to enable them to optimize compliance through a single pane of glass — but only 14.2% would prioritize this approach! Similarly, nearly half (46.3%) believe automation would allow them to rapidly apply governance, but only 12.1% of CISOs would prioritize it.
Is compliance ready for GenAI?
And even though automation and generative artificial intelligence (GenAI) remain hot topics, most CISOs aren’t ready to adopt both technologies. In fact, 82.1% of organizations aren’t currently using GenAI tools or functions in their compliance programs. Interestingly, nearly one-third (33.2%) of organizations have incorporated automation in their compliance programs, but without GenAI tools.
Perhaps this isn’t surprising, as GenAI tools like ChatGPT were only publicly released about two years ago. Building GenAI capabilities into compliance tools may have happened quickly, but building trust and changing the culture of compliance teams takes more time. The report showed progress, however: 17.9% already use GenAI in their compliance programs and 72.1% have developed policy and process language to ensure GenAI technology is used responsibly when (or if) it’s deployed.
Compliance as Code starting to gain ground
Compliance as Code, which automatically demonstrates that new code complies with defined policies and regulations, is also getting traction. According to the survey, 13% of CISOs have adopted or are planning to adopt technologies that enable Compliance as Code, such as the Open Security Controls Assessment Language (OSCAL) and the Open Cybersecurity Schema Framework (OCSF). Gartner® estimates, “By 2026, 70% of enterprises will have integrated compliance as code into their DevOps toolchains, reducing risk management and improving lead time by at least 15%.”
Despite barriers to Compliance as Code adoption, nearly all respondents (94.2%) do believe continuous controls monitoring (CCM) will improve both compliance and security. They simply haven’t decided which technology to adopt yet.
Budget and cost considerations
Adopting new technologies also always comes with budget implications. While half of CISOs spend over $200,000 annually on compliance-related resources, 69.7% consider cost an important factor when selecting tools and vendors for governance and CCM. For nearly a third, financial matters are the primary reason for resistance to change, even if that change might ultimately result in cost savings. Perhaps this is because most organizations (66.3%) don’t measure the operational cost of managing compliance (larger organizations are even less likely to measure this expense!). But it’s impossible to assess ROI or make informed budget allocation decisions without this measurement.
Prioritizing compliance and risk… or falling behind?
Unsurprisingly, considering the penalties for noncompliance, the survey showed that financial services companies are most concerned about meeting regulatory requirements (62.5% consider them a top priority). However, compliance isn’t currently a priority for 66.7% of companies in entertainment and media or for 42.9% of manufacturers. Instead, 90% of manufacturers, 82.1% of healthcare providers, 75% of entertainment and media companies, and 73.8% of software and IT companies cite cost as a priority. At the same time, nearly half of the organizations with less mature programs attributed their difficulties to a lack of personnel or resources and nearly half (46.2%) cited insufficient budget as the primary reason for not using GRC tools.
A path to simpler managing risk & compliance
The survey shows a clear mandate for increased automation to make risk and compliance easier and more effective. It’s time for organizations to explore GenAI and Compliance as Code because these technologies offer the greatest potential for streamlining compliance processes. The old adage, “what gets measured gets managed,” has never been more apt. Organizations must measure the operational costs of compliance to make more informed decisions about their technology investments. Today’s mercurial regulatory environment highlights the need for CISOs to overcome cultural barriers and embrace new technologies that enable more resilient and efficient compliance programs.