13.7% of CISOs said their compliance program is a 1 (“Initial: ad-hoc”), and 23% said their program is a 2 (“Established: documented and repeatable”).

Only 5% of CISOs consider their organisation's compliance program to be optimised for efficiency and continuous improvement.