New Osterman Research Report: Only 13% Happy With Compliance Methods

Burdensome Compliance Management Processes are Eating Into IT Budget

April 17, 2014

4 Min Read


A new Osterman study, sponsored by Security Awareness Training company KnowBe4, shows a low satisfaction level with current methods of managing compliance, despite the fact that 63% consider regulatory compliance to be “very important”. Only 13% are very satisfied with the current methods they use. Osterman's research also found typically 19% of compliance and audit time each year is spent on tracking requirements and another 31% on gathering and maintaining audit evidence.

According to the report, compliance management is subject to a high volume of change in regulations, with the US government leading the way as demonstrated by the growth of the US Federal Register. This document, a daily publication that contains proposed and final regulations of US federal agencies, published an average of 3,827 final rules and 2,445 proposed rules each year between 2002 and 2012. That represents an average of 14.7 final rules and 9.4 proposed rules each workday. Managing this level of change using manual processes can be very difficult, if not impossible.

“Much of the discontent stems from the focus on manual processes,” said Stu Sjouwerman, CEO of KnowBe4. “This is quite cumbersome and expensive. Improving the tracking and gathering of audit evidence alone can help an organization save considerably in both time and budget.”

To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month. For a company with 500 employees, that is $261,000.

One of the fundamental problems of compliance management is the fact that much of it is focused on manual processes – maintenance of spreadsheets or Word documents or  home-grown software that help an organization to stay current with its compliance obligations, but that require significant effort to maintain. Add to this the significant amount of time that is required simply to search for the right information to populate these documents and tools. One source has estimated that up to 80% of the time spent by compliance risk professionals is focused on the search for relevant data.

Moreover, there can be significant duplicate effort on the part of compliance management staff, particularly in large and distributed organizations because several people may be working on the same compliance issues unbeknownst to others in the organization. In conjunction with the manual nature of the compliance process in most organizations, this duplicate effort results in compliance management that is relatively inefficient and may actually be contradictory in some cases as different groups develop their own interpretation of how best to satisfy compliance issues.

KnowBe4 has developed KnowBe4 Compliance Manager (KCM), a cloud-based solution that consolidates audit management and regulatory compliance tasks into simple, automated workflows that prevent overlap and eliminate gaps. KCM includes a fast setup, consolidation of multiple regulatory requirements, centralized interface, alerts, task assignment and secure access to audit data.Organizations can create custom compliance templates that allow staff members to track compliance with any standard or regulation, including PCI-DSS, HIPAA, GLBA, SOX, FISMA, and state-specific requirements, among many others.

For more information visit

To learn more about KCM visit:

To download the new whitepaper, go to:

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

Tags: GRC, Compliance Management, Compliance Automation Software, Security Awareness Training, PCI, HIPAA, GLBA


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights