According to a new report from Swimlane, only 40% of organizations feel fully prepared to meet cybersecurity regulatory compliance requirements.
Despite 93% of organisations reviewing their strategies and 92% increasing their budgets, organisations still feel unprepared for new regulations.
In light of groundbreaking developments such as the SEC’s Incident Rule on cybersecurity incident disclosure and the EU’s Cyber Resilience Act (CRA), Swimlane investigated how the changing cybersecurity regulatory environment will impact security budgets and compliance strategies. Swimlane surveyed 500 cybersecurity decision makers at companies with 1,000+ employees in the US and UK.
“Geopolitical turmoil and complex regulations have made cybersecurity a strategic imperative,” said Michael Lyborg, CISO at Swimlane. “Regulations are driving strategy shifts and budget increases, while talent shortages and fragmented infrastructures are obstacles to compliance and resilience. To succeed, organizations must find the right balance between human expertise for complex situations and AI-enhanced automation tools for routine tasks. This reduces operational burden and allows security professionals to focus on parts of the job where human judgment is essential.”
Regulation prompts shift in strategy
93% of organizations report that they have reviewed their cybersecurity strategy in the past year due to an increase in new regulations, and 58% say they have completely overhauled their approach. The shift in strategy is also impacting the role of cybersecurity decision makers, with 45% citing significant new responsibilities.
92% of organizations reported an increase in their allocated budget. Of these organizations, a significant proportion (36%) saw their budget increase between 20% and 49%, and notably, 23% saw an increase of over 50%.
Many organizations still question their compliance readiness, with only 40% confident that their companies are investing in the resources, tools and people necessary to fully comply with relevant cybersecurity regulations. Worryingly, 19% of organizations say their companies are doing very little.
56% of companies say they are able to report security incidents to investors, boards, and regulators within one to two business days, although 43% of respondents reported that reporting times have increased over the past year.
Only about one-third of respondents expressed complete confidence in their company’s current ability to meet the CRA’s key requirements.
Calls for AI Regulation and Privacy Concerns
83% of respondents believe that the development and use of AI needs regulation. When asked about the biggest challenge they currently face in adopting or expanding the use of AI within their organization, 58% cited balancing the need to collect and analyze data with complying with data privacy regulations and maintaining user trust.
“Having worked for more than a decade in government agencies including the Department of Defense and Department of Homeland Security, I've seen firsthand how critical strong cybersecurity is to our national security infrastructure,” said Cody Cornell, Swimlane's chief strategy officer.
“This urgency is reflected in the recent proliferation of regulations. Yet our survey finds a clear disconnect between the strategic changes organizations are making and their confidence in achieving full compliance. This highlights the need for a comprehensive approach that addresses not only technology investments but also talent, training and streamlined workflows to navigate a dynamic regulatory environment,” Cornell concluded.
