Many of you know (and some love) the 1993 movie Groundhog Day. For those who haven't seen it, the main character, Phil Connors (played by Bill Murray), is forced to live the same day over and over until he gets it right. He meets the same people in the same places and experiences the same moments wherever he goes. Even the same song — Sonny and Cher's "I Got You, Babe" — is playing when his clock radio comes on at the same time every morning.
The challenge he faces is that he's been given no rules or guidelines about how to get out of this fix. Nothing he does can break the cycle of waking up and reliving the same events day after day after day. In my conversations with colleagues that deal with IT risk or privacy compliance, their experiences begin to sound identical to Phil's trapped existence. Why? I think a large part of it is the frustration and exhaustion of having to report on the same data about the same security controls over and over, every time a new audit request comes in.
Fatigue comes in many forms, whether it's work fatigue, Zoom fatigue, or COVID fatigue. There is no question that a large part of work fatigue for security professionals stems from compliance requirements. Lately, it feels like a new regulation or compliance standard is introduced every few months. In 2018, we saw the introduction of the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Two major privacy regulations in one year certainly left organizations overwhelmed with more standards to comply with in addition to what was already on their plate. While these regulations are needed, it looks like GDPR and CCPA are just the beginning.
The Costs of Compliance
Now that the dust has settled on these major regulations, it is only a matter of time before other states follow suit and begin to implement their own standards, which inevitably means more compliance headaches to come. According to a recent survey by Telos Corp., commercial organizations must comply with an average of 13 different IT security and/or privacy regulations. On top of that, organizations spend around $3.5 million annually on these activities, and it takes three working days to respond to a single request. When you break it down, that means that compliance audits consume an average of 58 working days each quarter. And let's remember that's an average across sectors, not just heavily regulated industries like financial, healthcare, or energy.
Organizations across industries universally experience audit and compliance fatigue. With the additional fatigue people and enterprises face in so many other areas at this point in time, alleviating this particular form should be at the top of every organization's list. The common denominator behind every company is its workforce — the personnel that keep things running and respond to every crisis. However, they are experiencing an unprecedented amount of stress, and the infosec community is just waking up to the serious problem and growing prevalence of burnout across the industry.
Don't Discount Burnout
According to a CISO Stress Report released earlier this year by Nominet, 88% of CISOs suffer from moderate or high stress. Almost half of those surveyed revealed that these stress levels have impacted their mental health. In fact, the pressures on CISOs are so significant that Nominet even developed a CISO Stress Calculator to support this finding. Burnout is yet another form of fatigue fueled in part by demanding compliance regulations, and organizations are working to find ways to ease this burden.
While CISOs and CIOs undoubtedly experience stress and fatigue, tsecurity practitioners, internal auditors, and compliance teams also get burned out. The stress of pre-audit activities, endless repetitive tasks, and constant back-and-forth requests for the same data, over and over again, lead to these career security professionals burning their candles till they reach the end of their wick.
The Costs of Noncompliance
Despite the extreme costs of compliance, in many cases, noncompliance costs can be significantly greater, as it often leads to considerable fines, loss of investor confidence, and damaged reputations. In taking a look at some of the biggest blunders in the past five years alone, we've seen British Airways ($230 million), Marriott ($123 million), Google ($57 million), and other large corporations quite literally pay the price for noncompliance. According to Telos' survey, organizations faced an average of eight fines over the last two years, costing them more than $460,000.
Conquering Cloud Migration and Looking Forward
To add to the challenges faced by CISOs and cybersecurity professionals, migration of compliant workloads to the public cloud opens up an entirely new world of compliance activities. Some 94% of respondents to the Telos survey report that they face challenges when it comes to IT security compliance and/or privacy regulations in the cloud. The most likely challenge is their ability to keep track of the sensitive data stores or how many instances of that data exist at any one time. The cost, coupled with rapid changes in cloud regulations and unfamiliarity with the practice, are the main obstacles associated with cloud compliance.
With all of this in mind, there is no question that a better path forward is needed. Where possible, we need to let the data speak for itself through automation — a real answer that's ready today to alleviate audit fatigue. Automation can increase audit evidence accuracy, reduce time spent in the auditing phase, and improve the ability to respond to audit evidence requests more quickly. Additional solutions for relieving audit fatigue include establishing a compliance risk team to triage requests and offering solid, intelligible compliance training that employees can put into practice. Continuously improving your compliance program and being proactive, especially during slower periods, is another way to stay ahead of the curve.
In compliance, there is not always a one-size-fits-all approach. Finding the proper solution to handle compliance and audit fatigue may take some time for each organization, but it's clearly worth the effort.