Security compliance obligations are exhausting UK organizations

A photo of a silhouette of a hand holding a gavel is in the foreground, with a futuristic mesh of blue lines in the background
(Image credit: Getty Images)

UK organizations are deprioritizing compliance work due to the time and financial investment it requires, according to new research from Vanta.

Vanta’s State of Trust Report found that amidst shrinking budgets and staffing shortages, firms are reallocating resources away from compliance obligations.

The report shows UK businesses are spending more than nine working weeks each year on staying compliant with current security standards, working out to eight hours a week – above the global average of seven and a half.

Exacerbating the issue is the fact that businesses are finding it harder to stay up-to-date with new regulations. More than half (55%) of respondents said remaining compliant with national standards is becoming increasingly challenging.

This has led to a fatigue among businesses as 44% of respondents admit their organization has deprioritized compliance due to the time it takes.

The study found on average only 9% of IT budgets are dedicated to security and 33% of leaders say their overall budgets are shrinking. 

Furthermore, 34% of decision-makers in the UK have already reduced their IT security budget, with another 28% planning on cutting security funding in the future.

The strain on IT departments isn’t just limited to finances, Vanta revealed, but also related to staffing. One-in-four businesses said they have reduced their IT staff in the last year. 

A third of respondents ranked the lack of staffing to manage the compliance process as the biggest barrier they face to proving and demonstrating security externally.

The security improvement imperative

The findings show organizations recognize they are faced with an increasingly sophisticated security landscape and need to adapt to growing threats.

Almost two-thirds (66%) of UK respondents agree their business requires security and compliance improvement measures, with one-in-four characterizing their organization’s security and compliance strategy as reactive.

Over half of IT decision-makers admit they are concerned data management is becoming more challenging with the widespread adoption of artificial intelligence (AI) tools and that using generative AI could erode customer trust.

Automation could be the key 

Despite these concerns, many IT leaders identified AI as part of the solution to help businesses struggling to keep up with compliance obligations.

The lack of automation to replace manual work was identified by 30% of respondents as the largest factor inhibiting their ability to meet security standards. 

Vanta’s findings reveal half of businesses globally are still managing risk surfaces manually, and this increases to 54% of businesses in the UK. 

As a result, 63% decision-makers believe automating compliance could save their organizations time and money. A strong majority of businesses (81%) plan on increasing their use of automation or have done so already. 


Red whitepaper cover with title and logo above circular images of colleagues using laptops, and servers

(Image credit: Trend Micro)

Get a clear understanding of what vulnerability research can accomplish in terms of cyber security


Respondents think they could save upwards of two hours per week if security and compliance tasks were automated, which works out to over two and a half working weeks per year.

Diego Susa, head of engineering at Unleash, believes automation will be an integral part of compliance activities moving forward, without sacrificing trust.

“Human-driven compliance is so slow that it will stifle your innovation and time-to market. When it comes to compliance, automation is king," he said. 

"The platforms and tools we’re using to build our product generate more than enough evidence to prove security. You don’t need humans to do unnecessary work to prove your company is trustworthy.” 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.