Cybersecurity, Compliance
We asked nearly 200 industry professionals about cybersecurity regulations and their effect on relationships with clients and vendors. Here’s what they said.
Q1: To which information security regulations are your company subject?
| FERPA | 12.0% |
| FISMA | 10.7% |
| GDPR | 17.3% |
| GLBA | 10.7% |
| HIPAA | 32.7% |
| NIST | 12.0% |
| PCI-DSS | 28.7% |
| SOC | 10.7% |
| None | 8.0% |
| I’m not sure | 40.0% |
| Other | 6.0% |
Q2: In the last 24 months, has a client or vendor requested or required that your company provide documentation on information security plans, processes, business agreements or certifications?
| Yes | 39.8% |
| No | 48.8% |
| I’m not sure | 11.5% |
Q3: What was your company asked to provide?
| Third-party / independent audit results | 42.9% |
| Internal audit results | 39.7% |
| Formal / legal confirmation of compliance | 33.3% |
| Informal confirmation of compliance | 47.6% |
| Security questionnaire | 76.2% |
| I’m not sure | 6.4% |
| Other | 4.8% |
Q4: Has your company provided all the requested items?
| Yes | 83.9% |
| No | 6.5% |
| I’m not sure | 9.7% |
Q5: Does your company intend to provide all the requested items?
| We intend to provide all of the items | 27.3% |
| We intend to provide some of the items | 27.3% |
| We do not intend to provide any of the items | 9.1% |
| I’m not sure | 36.4% |
Q6: Why is your company not going to provide all the requested items?
| Too expensive | 0.0% |
| Too time consuming | 50.0% |
| Too complicated | 25.0% |
| Lack of compliance | 25.0% |
| Business relationship is not important enough | 0.0% |
| I’m not sure | 25.0% |
| Other (please specify) | 50.0% |
Q7: On a scale of 1-5, how important is your company’s information security?
| (1) | Not at all important | 0.7% |
| (2) | 0.7% | |
| (3) | Somewhat Important | 7.4% |
| (4) | 21.5% | |
| (5) | Criticaly Important | 69.8% |
Q8: Why is your company’s information security important?
| Regulations require it | 53.2% |
| Vendors require it | 21.8% |
| Clients require it | 59.6% |
| Protection of the information your company holds | 84.0% |
| Protection of your company’s brand | 52.6% |
| Protection of your clients’ and customers’ brand | 50.0% |
| It is not important | 2.6% |
| Other | 1.9% |
Q9: To which information security regulations are your clients or vendors subject?
| Family Educational Rights and Privacy Act (FERPA) | 12.0% |
| Federal Information Security Management Act of 2002 (FISMA) | 10.7% |
| General Data Protection Regulation (GDPR) | 17.3% |
| Gramm Leach Bliley Act (GLBA) | 10.7% |
| Healthcare Insurance Portability and Accountability Act (HIPAA) | 32.7% |
| National Institute of Standards and Technology (NIST) | 12.0% |
| Payment Card Industry Data Security Standard (PCI-DSS) | 28.7% |
| Service Organizational Control (SOC) | 10.7% |
| None | 8.0% |
| I’m not sure | 40.0% |
| Other | 6.0% |
Q10: In the last 24 months, has your company requested or required that a client or vendor provide documentation on their information security plans, processes, business agreements or certifications?
| Yes | 34.0% |
| No | 50.0% |
| I’m not sure | 16.0% |
Q11: What did your company ask them to provide?
| Third-party / independent audit results | 37.5% |
| Internal audit results | 27.1% |
| Formal / legal confirmation of compliance | 56.3% |
| Informal confirmation of compliance | 50.0% |
| Security questionnaire | 41.7% |
| I’m not sure | 4.2% |
| Other | 0.0% |
Q12: Have they provided all the requested items?
| Yes | 89.8% |
| No | 6.1% |
| I’m not sure | 4.1% |
Q13: Are you expecting them to provide all the requested items?
| We expect them to provide all of the items | 20.0% |
| We expect them to provide some of the items | 60.0% |
| We do not expect them to provide any of the items | 20.0% |
| I’m not sure | 0.0% |
Q14: Why are you not expecting them to provide all the requested items?
| Too expensive | 25.0% |
| Too time consuming | 0.0% |
| Too complicated | 25.0% |
| Lack of compliance | 75.0% |
| Business relationship is not important enough | 0.0% |
| I’m not sure | 0.0% |
| Other (please specify) | 25.0% |
Q15: On a scale of 1-5, how important is your clients’ and vendors’ information security?
| (1) | Not at all important | 2.2% |
| (2) | 2.2% | |
| (3) | Somewhat Important | 10.1% |
| (4) | 18.8% | |
| (5) | Critically Important | 66.7% |
Q16: Why is your clients’ and vendors’ information security important?
| Regulations require it | 51.8% |
| Vendors require it | 31.4% |
| Clients require it | 56.9% |
| Protection of the information the companies hold | 66.4% |
| Protection of your company’s brand | 46.0% |
| Protection of your clients’ and vendors’ brand | 48.9% |
| It is not important | 5.8% |
| Other (please specify) | 3.7% |
Q17: Which most closely describes the industry in which you work?
| Banking / Finance | 5.9% |
| Consulting | 5.4% |
| Education | 7.0% |
| Government | 4.3% |
| Healthcare | 11.8% |
| Hospitality | 1.6% |
| Legal | 11.3% |
| Manufacturing | 8.1% |
| Non-profit | 5.9% |
| Real Estate / Construction | 7.5% |
| Retail | 1.6% |
| Technology / Telecommunications | 21.0% |
| Utilities | 1.6% |
| Other | 7.0% |
Q18: Which most closely describes your job function?
| Accounting / Finance | 5.4% |
| Administration | 19.0% |
| Business Owner | 16.3% |
| Customer Service | 1.1% |
| HR | 1.1% |
| IT | 29.4% |
| Legal | 4.4% |
| Operations | 20.7% |
| Sales / Marketing | 2.7% |
| Other (please specify) | 0.0% |
Q19: Which most closely describes your job level?
| Staff | 17.5% |
| Management | 28.4% |
| Senior Management | 22.4% |
| Executive Management | 31.7% |
Q20: How many employees does your company have?
| 1-50 | 48.4% |
| 51-500 | 29.0% |
| 501-1,000 | 10.8% |
| 1,001-10,000 | 7.5% |
| 10,001+ | 4.3% |
