Every January, we commit to building better habits. We buy gym memberships, download meditation apps, or swear to finally learn that new language. But here’s a thought: how well are our organizations carrying out their own New Year’s resolutions?
Looking at the state of GRC today, it’s clear that many security and compliance teams are stuck in what we can call the “January gym membership trap”: investing in tools and making commitments, but struggling to create lasting change.
Our new report, The State of Continuous Controls Monitoring, reveals a stark reality: although 58% of organizations use GRC tools to manage compliance evidence, only 5% consider their compliance program to be optimized for efficiency and continuous improvement. In other words, they’re paying for the gym membership, but they’re not developing the habits that lead to real transformation.
What’s going on beneath the survey? And what’s the solution? Today, I’ll unpack survey results from nearly 200 CISOs and explore how organizations can adopt lasting habits that will transform their GRC outcomes for 2025 and beyond.
The cultural shift: from checkbox compliance to a continuous mindset
According to the research, 94% of CISOs believe that Continuous Controls Monitoring (CCM) will improve both compliance and security at their organization. But buying a new tool isn’t enough to achieve a truly continuous approach to GRC — just like signing up for that Planet Fitness membership isn’t enough to build those new muscles. It’s an important first step, but it has to be part of a sustained behavioral shift.
One key element of creating new GRC habits is breaking free from point-in-time thinking. Only focusing on compliance when an audit is coming up is like only studying the day before a big test: stressful, tiring, and ineffective.
Still, many organizations are caught in the point-in-time habit. They scramble before audits, pull all-nighters gathering evidence, and breathe a sigh of relief when it’s over — at least until the next audit looms on the horizon. And the research shows that this kind of reactive approach is all too common.
- Over 50% of organizations report that compliance isn’t embedded in their CI/CD pipeline.
- Nearly 80% of CISOs admit to some degree of unnecessary duplication in their organization’s compliance efforts.
- More than half of CISOs cite skilled staff shortages as their biggest challenge.
Simply put, manual point-in-time compliance checks don’t create a sustainably secure organization. Organizations need to transform their relationship with compliance from an occasional mad scramble to a steady, well-integrated part of their operations.
The answer lies in continuous controls monitoring. CCM provides the real-time visibility and automation that organizations need to handle the draining, repetitive tasks of compliance. Add to that a continuous mindset — the cultural shift from “compliance as an event” to “compliance as a constant” — and you have a solid corrective for the bad habit of a point-in-time mindset.
What’s getting in the way?
CISOs already know that they need better GRC habits, and the vast majority are excited about Continuous Controls Monitoring. The CCM results speak for themselves, offering:
- Reduced manual processing (cited by 79.8% of CISOs as the biggest opportunity in adding automation to their programs)
- Enhanced risk visibility and real-time insights
- Improved efficiency through automation
- Better alignment between security and compliance teams
What’s stopping every company and agency from implementing CCM tomorrow? Like most organizational transformations, it’s complicated.
Money worries
The most obvious answer is cost. According to the research, 31.1% of CISOs cite financial concerns as their organization’s primary resistance to change. That makes sense: organizations of all types and sizes continue to be very budget-conscious about their compliance-related decisions, with nearly three-quarters of CISOs saying that their general decisions about company priorities are based on cost. This is particularly true in sectors like manufacturing, healthcare, entertainment and media, and software/IT services, where profit margins are often tight and competing initiatives abound.
The obstacle is coming from inside the house
Here’s the surprising part: organizational resistance actually has more of an impact than cost. A whopping 55% of CISOs point to cultural barriers within their organization as the main obstacle in implementing CCM.
This cultural resistance can manifest in various ways. Teams too comfortable with their existing processes may resist new workflows, middle management may fear disruption to their established routines, or there may just be organizational fatigue from too many previous initiatives to muster up the enthusiasm for another.
Struggling to make the habit stick
Of course, there are lots of other reasons why organizations are slow to adopt CCM. The research highlighted several significant barriers, including inadequate staffing, time-sensitive customer demands, and competing strategic initiatives.
But one of the biggest reasons — and the one that’s most closely tied to organizational resistance — is that new habits are just plain tough to get going. It’s human nature: according to The Ohio State University, 23% of people quit their New Year’s resolutions by the end of the first week, and nearly half quit by the end of January. Not surprising that organizations face many of the same challenges with habit formation.
But one of the biggest reasons — and the one that’s most closely tied to organizational resistance — is that new habits are just plain tough to get going. It’s human nature: according to The Ohio State University, 23% of people quit their New Year’s resolutions by the end of the first week, and nearly half quit by the end of January. Not surprising that organizations face many of the same challenges with habit formation.
Building new GRC habits for 2025
As someone who’s led organizations through the CCM transformation, I’ve learned that successful habit change requires breaking big goals into smaller, manageable steps. There’s no one-size-fits-all approach, but here are some solid starting points to implement a continuous mindset and build your organization’s new GRC habits.
Start with the quick wins.
The research shows that 79.8% of CISOs see reducing manual processing as their biggest opportunity — so look for processes that are currently manual, repetitive, and time-consuming. (You might start with evidence collection for common controls like access reviews or change management documentation.) When stakeholders see how much time can be saved on these basic tasks, you’ll gain more buy-in for automating the more complex processes.
Target your team’s pain points.
Nearly half of CISOs say that evidence gathering is one of their greatest challenges. Building off your quick wins, look for the tasks your team dreads most. (Maybe it’s screenshot gathering, spreadsheet updating, or clunky communications across different tools.) These are perfect candidates for early automation, since solving these problems creates immediate relief and builds goodwill for bigger changes ahead.
Make the continuous path the easy path.
Design your systems so that following continuous compliance processes is easier than working around them. This might mean creating automated templates, integrating compliance as code into your CI/CD pipeline, or implementing intelligent workflows that guide teams through processes easily. Whichever way you choose, the goal is to make compliance the path of least resistance.
Choose the right tools.
Not all CCM tools are created equal. 76% of CISOs said that integrations are the most important consideration when selecting tools to provide governance and continuous controls monitoring. Also important? Security standards, scalability, a single pane of glass, and more. Check out our Cyber GRC Buyer’s Guide for more help assessing tools.
Measure what matters.
The research reveals that only 22.6% of organizations have reached the “measured with metrics” stage of program maturity. To get there, focus on visibility and reporting by implementing dashboards that show real-time compliance status. Make sure you’re tracking not just your basic compliance status but also operational metrics to help identify areas for improvement and justify further investment.
Celebrate and communicate wins.
Once your organization has successfully automated a process or implemented continuous monitoring for certain controls, make sure to measure and communicate the impact. How many hours did it save? How many errors did it prevent? How much faster can you respond to audit requests or achieve certifications? These concrete wins help build momentum and support for broader transformation.
Making 2025 the year of continuous improvement
The research shows that organizations are ready for change; they just need the right approach. Like any good habit, CCM will become easier (and yield more payoffs) over time. The key is to start small, stay consistent, and focus on progress over perfection.
As you fine-tune your organization’s GRC resolutions for 2025 (or return to a plan that’s already been abandoned — no judgment), remember that the goal isn’t to be exceptional from day one. Instead, the goal is to future-proof your security, risk, and compliance programs in a purposeful, sustainable way.
What’s most essential is to recognize that processes don’t need to break before better habits are established — and that GRC needs more innovation and automation across the board.
As 2025 gets underway, we’re excited to track the progress of the organizations that are beginning to adopt a continuous mindset. We’re here to support you, wherever you may be in your CCM journey. Read the full State of CCM Report here.
Ready to get started?
Choose the path that is right for you!
Skip the line
My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now.
Supercharge
My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.