Governance risk and compliance (GRC) processes are wasting thousands of person-hours annually just collecting evidence. Teams are manually juggling frameworks and scrambling to complete audits with processes that can’t scale.
This is a key finding of the latest State of Continuous Controls Monitoring Report from RegScale. It shows that 94 percent of organizations believe that Continuous Controls Monitoring (CCM) will improve both compliance and security, but that only 28 percent are actually doing it.
Based on a survey of more than 250 infosec leaders it shows a recognition of the need for change, but implementation is still an issue. While 95 percent of respondents have implemented some automation in their GRC processes, only four percent have achieved full automation. Just 28 percent monitor their security controls continuously in real-time, while 72 percent still rely on periodic assessments.
There’s a heavy burden on teams too, 83 percent report that manual compliance work causes moderate or major delays in meeting regulatory requirements. Evidence collection is a prime example, with 58 percent of organizations dedicating over 2,000 person hours annually to this one manual task.
That burden is increasing too, more than a third of organizations report that over half their compliance workload is dedicated to requirements which have been introduced in the last five years.
In the face of all this it’s not surprising that many are starting to turn to AI. This is delivering universal improvement in Cyber GRC, with 100 percent of AI adopters reporting positive outcomes and 64 percent seeing significant or transformational benefits. Organizations are also achieving major time savings through automation, with 23 percent saying it’s cut time spent on compliance tasks by more than half.
However, the report concludes that the gap between recognizing the need for automation and implementing it remains. “Compliance and security teams are doing everything they can, but the human burden has become unsustainable,” says Dale Hoak, CISO at RegScale. “This year’s findings highlight that organizations are delaying critical activities, struggling to monitor controls in real time, and relying on legacy manual processes that directly undermine security readiness. Continuous Controls Monitoring is the bridge that helps teams reduce labor, improve visibility, and ultimately modernize and strengthen resilience in an increasingly complex environment.”
The full report is available from the RegScale site. You can also register for a webinar to discuss the findings on Jan 27th at 1pm ET.
Image credit: BiancoBlue/depositphotos.com
