Despite increased budgets, organizations struggle to comply with regulations

A new report from Swimlane shows that only 40% of organizations feel fully prepared to meet the requirements for compliance with increasing cybersecurity regulations.

Organizations still feel unprepared for new regulations, even though 93% of organizations have rethought their strategies and 92% have increased their budgets.

In light of landmark developments such as the SEC’s Cybersecurity Incident Disclosure Rules and the EU’s Cyber ​​Resilience Act (CRA), Swimlane attempted to explore how the changing cybersecurity regulatory landscape is impacting security budgets and compliance strategies. Swimlane surveyed 500 cybersecurity decision-makers at enterprises with at least 1,000 employees in the United States and the United Kingdom.

“Geopolitical turmoil and complex regulations have made cybersecurity a strategic imperative,” said Michael Lyborg, CISO at Swimlane. “While regulations are changing strategies and increasing budgets, talent shortages and fragmented infrastructure remain obstacles to compliance and resilience. To be successful, organizations must strike the right balance between human expertise for complex situations and AI-powered automation tools for routine tasks. This will reduce operational burden and allow security professionals to focus on parts of the job where human judgment is essential.”

The regulations change the fuel strategy

93% of organizations reported rethinking their cybersecurity strategy last year due to new regulations, and 58% said they had completely rethought their approach. Changes in strategy also impact the roles of cybersecurity decision-makers, with 45% of respondents reporting significant new responsibilities.

92% of organizations saw an increase in the budgets allocated to them. Among these organizations, a significant proportion (36%) saw their budget increase by 20% to 49%, and a significant 23% saw an increase of more than 50%.

Many organizations still doubt their compliance readiness, and only 40% are confident that their organization has made the necessary investments in resources, tools and staff to fully comply with relevant cybersecurity regulations. A disturbing 19% said their organization had done very little.

56% of companies said they could report security incidents to investors, boards and regulators within 1-2 business days. However, 43% of respondents reported an increase in reporting times over the past year.

Only about one-third of respondents expressed full confidence in their organization’s current ability to meet key CRA requirements.

Regulatory requirements for artificial intelligence and privacy concerns

83% of respondents believe that there should be regulations regarding the development and use of artificial intelligence. When asked about the biggest challenges they currently face in adopting or expanding the use of AI in their organization, 58% cited balancing the need to collect and analyze data with maintaining compliance with data privacy regulations and user trust.

“Having spent more than a decade working in government agencies, including the Department of Defense and the Department of Homeland Security, I have seen first-hand how critical strong cybersecurity is to the national security infrastructure,” said Cody Cornell, chief strategy officer at Swimlane.

“This urgency is reflected in the recent increase in regulation. However, our research shows a clear disconnect between the strategic changes organizations are making and their confidence in achieving full compliance. This underscores the need for a comprehensive approach that considers not only technology investments, but also talent, training and streamlined workflows to navigate the dynamic regulatory environment,” Cornell concluded.