Despite increased budgets, organizations struggle with compliance

Only 40% of organizations feel fully prepared to meet the compliance demands of rising cybersecurity regulations, according to a new Swimlane report.

Organizations still feel unprepared for new regulations despite 93% of organizations rethinking their strategies and 92% increasing budgets.

In light of landmark developments like the SEC’s incident rules on cybersecurity incident disclosure and the EU’s Cyber Resilience Act (CRA), Swimlane sought to investigate how the shifting cybersecurity regulatory environment influences security budgets and compliance strategies. Swimlane surveyed 500 cybersecurity decision-makers at enterprise companies with at least 1,000 employees in the United States and the United Kingdom.

“Geopolitical turmoil and complex regulations have made cybersecurity a strategic imperative,” said Michael Lyborg, CISO at Swimlane. “While regulations are driving strategy shifts and increased budgets, the talent shortage and fragmented infrastructure remain obstacles to compliance and resilience. To succeed, organizations must find the right balance between human expertise for complex situations and AI-enhanced automation tools for routine tasks. This will alleviate operational strain and ensure security professionals can focus on the parts of the job where human judgment is irreplaceable.”

Regulations fuel strategy shifts

93% of organizations report rethinking their cybersecurity strategy in the past year due to the rise of new regulations, with 58% stating they have completely reconsidered their approach. The strategy shifts are also impacting the roles of cybersecurity decision-makers, with 45% citing significant new responsibilities.

92% of organizations reported an increase in their allocated budgets. Among these organizations, a significant portion (36%) witnessed budget increases of 20% to 49%, and a notable 23% saw increases exceeding 50%.

Many organizations still doubt their compliance readiness, with only 40% feeling confident their organization has made the necessary investments in resources, tools, and personnel to fully comply with relevant cybersecurity regulations. A concerning 19% said their organization has done very little.

56% of companies stated they could report security incidents to investors, boards, and regulators within 1-2 business days. However, 43% of respondents report increased reporting time over the past year.

Only about one-third of respondents expressed full confidence in their organization’s current ability to meet the CRA’s key requirements.

AI regulation demands and privacy concerns

83% of respondents believe there should be regulations on the development and use of AI. When asked about the biggest challenges they currently face in adopting or expanding the use of AI within the organization, 58% cited balancing the need for data collection and analysis with maintaining adherence to data privacy regulations and user trust.

“Spending over a decade working at government agencies including the Dept of Defense and Dept of Homeland Security I was able to see firsthand the vital importance of robust cybersecurity for national security infrastructure,” said Cody Cornell, chief strategy officer of Swimlane.

“This urgency is reflected in the recent surge of regulations. However, our research shows a clear disconnect between the strategic changes organizations are making and their confidence in achieving full compliance. This highlights the need for a comprehensive approach that addresses not just technology investments but also talent, training, and streamlined workflows to navigate the dynamic regulatory environment,” concluded Cornell.