Is everyone in your organization on the same page? Our latest Compliance Benchmark Report uncovered the disparity between what boards and regulations require versus how internal teams perceive the strategy behind corporate compliance programs.  

When helping organizations launch or refine their cybersecurity compliance programs, one of the first questions we ask is, “What is the primary purpose or driving force behind your corporate compliance program?” 

In some industries, such as healthcare, financial services, and government contracting, cybersecurity compliance is a legal requirement, which means yearly audits are simply a reality of doing business in a carefully regulated space. But for industries where compliance is not a legal necessity, motivations can range from satisfying internal stakeholders to building trust with customers, prospects, and partners.  

In our 2021 Compliance Benchmark Report, we asked more than 200 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. We learned that even though the main impetus for compliance can vary, the one common thread is that organizations often pursue compliance audits to win new business.  

Let’s take a closer look at some of the drivers for corporate compliance programs and the potential reasoning behind the distribution of responses.  

The Purpose of Compliance is Subjective 

We asked respondents to rank the primary drivers of their organization’s compliance program from a list of common motives. Interestingly, there was no clear-cut leading cause; answers for the “most important” driver were evenly distributed. Top responses included regulatory requirements (19%), meeting board-level mandates (16%), and establishing trust with potential and existing customers (15%).  

If you evaluate this data at face value, it’s easy to draw the conclusion that the key drivers of compliance are divided evenly and are, therefore, equally important. However, it’s worth noting that the audience for this survey encompassed different departments and job titles. It’s possible that employees serving in different functions and at various levels of an organization have unique perceptions about what is really driving these projects. 

For example, an IT QA analyst may receive information about their role in an upcoming compliance project and assume it is being driven by a new law or regulation. At the same time, an executive who oversees the compliance program creation at a high level might view it as an effort to retain clients that could leave in favor of a company with a stronger cybersecurity posture.  

In other words, members of an organization may not always be on the same page about the primary driver of their compliance programs.  

Winning New Business Is Often a Major Benefit of Compliance 

While our survey didn’t identify a clear leading cause for compliance programs, it did highlight a frequent benefit that organizations receive from conducting audits and assessments regardless of the motivation: winning new business. In fact, our survey data showed that 64% of respondents conducted an audit or assessment with the specific goal of winning new business. To that point, 14% of respondents said they lost a business deal because they were missing a certain compliance certification.  

This data is indicative of the way many organizations approach audits and assessments: in a reactive manner. We often find that cybersecurity compliance audits and assessments come onto an organization’s radar when a customer, prospect, or partner requests proof of compliance with a specific framework, such as SOC 2 or HITRUST, during the sales process. From there, a request is typically sent to an IT or cybersecurity manager to start pursuing a certification or assessment badge, and suddenly personnel across all departments are scrambling to figure out what they need to do to help the organization pass the audit or assessment. 

To be clear, leveraging cybersecurity compliance to win new business isn’t a bad idea. When audits and assessments are conducted in a reactive, non-strategic manner, however, it becomes an inefficient road to compliance that can cost organizations valuable time and resources.

Reactive Audits Prevent a Cohesive Compliance Strategy 

When we asked survey respondents to identify the greatest challenge that hinders their organization’s compliance strategy, 23% reported that their audits are reactive and driven by customer requests rather than internal management. 

This bottom-up approach to cybersecurity compliance often results in disjointed, unnecessarily repetitive audits that don’t take advantage of a cohesive compliance strategy. Relatedly, our survey found that 85% of organizations conduct more than one audit each year, but only 14% consolidate audits into a single annual event.  There are a number of benefits to implementing a Master Audit Plan (MAP) within an organizations, primarily because a MAP can alleviate the pain points that are traditionally associated with an audit process.  Specific benefits of a MAP include: 

• Combining efforts across audits to decrease workload  
• Completing multiple audits in less time  
• Optimizing evidence collection and usage  
• Creating efficiencies   
• Freeing up resources to concentrate on more strategic initiatives  
• Streamlining costs   
• Protecting your brand  
• Allowing organizations to think of their program more holistically and systematically  
• Better communication to internal stakeholders on progress and process  
• Limiting the number of auditors to manage  

Key Takeaways  

Although modern business leaders are more aware than ever of the dangers of cybersecurity threats, employees may not be on the same page about the true purpose of their compliance programs. And though cybersecurity compliance is undoubtedly a great way to win new business, it can take a toll on productivity and profitability when audits and assessments are a reactive, customer-driven endeavor instead of a carefully planned effort that involves buy-in across all departments. 

Organizations can greatly benefit from spending more time at the onset of a cybersecurity compliance initiative to ensure the right people, processes, technology, and/or partners are in place to facilitate long-term success. This means looking beyond the compliance projects that are on the immediate horizon to decide how to start laying the groundwork for future audit and assessment needs. 

Download the 2021 A-LIGN Compliance Benchmark Report
Ready to refine your compliance program?