Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/13/2020
10:00 AM
Stephen Horvath
Stephen Horvath
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Sameness of Every Day: How to Change Up Audit Fatigue

And with more data compliance laws on the way, audit fatigue could be a real challenge for infosec professionals.

Many of you know (and some love) the 1993 movie Groundhog Day. For those who haven't seen it, the main character, Phil Connors (played by Bill Murray), is forced to live the same day over and over until he gets it right. He meets the same people in the same places and experiences the same moments wherever he goes. Even the same song — Sonny and Cher's "I Got You, Babe" — is playing when his clock radio comes on at the same time every morning. 

The challenge he faces is that he's been given no rules or guidelines about how to get out of this fix. Nothing he does can break the cycle of waking up and reliving the same events day after day after day. In my conversations with colleagues that deal with IT risk or privacy compliance, their experiences begin to sound identical to Phil's trapped existence. Why? I think a large part of it is the frustration and exhaustion of having to report on the same data about the same security controls over and over, every time a new audit request comes in. 

Related Content:

The Cybersecurity Maturity Model Certification: Are You in Compliance?

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Fatigue comes in many forms, whether it's work fatigue, Zoom fatigue, or COVID fatigue. There is no question that a large part of work fatigue for security professionals stems from compliance requirements. Lately, it feels like a new regulation or compliance standard is introduced every few months. In 2018, we saw the introduction of the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Two major privacy regulations in one year certainly left organizations overwhelmed with more standards to comply with in addition to what was already on their plate. While these regulations are needed, it looks like GDPR and CCPA are just the beginning.

The Costs of Compliance 
Now that the dust has settled on these major regulations, it is only a matter of time before other states follow suit and begin to implement their own standards, which inevitably means more compliance headaches to come. According to a recent survey by Telos Corp., commercial organizations must comply with an average of 13 different IT security and/or privacy regulations. On top of that, organizations spend around $3.5 million annually on these activities, and it takes three working days to respond to a single request. When you break it down, that means that compliance audits consume an average of 58 working days each quarter. And let's remember that's an average across sectors, not just heavily regulated industries like financial, healthcare, or energy.

Organizations across industries universally experience audit and compliance fatigue. With the additional fatigue people and enterprises face in so many other areas at this point in time, alleviating this particular form should be at the top of every organization's list. The common denominator behind every company is its workforce — the personnel that keep things running and respond to every crisis. However, they are experiencing an unprecedented amount of stress, and the infosec community is just waking up to the serious problem and growing prevalence of burnout across the industry.

Don't Discount Burnout
According to a CISO Stress Report released earlier this year by Nominet, 88% of CISOs suffer from moderate or high stress. Almost half of those surveyed revealed that these stress levels have impacted their mental health. In fact, the pressures on CISOs are so significant that Nominet even developed a CISO Stress Calculator to support this finding. Burnout is yet another form of fatigue fueled in part by demanding compliance regulations, and organizations are working to find ways to ease this burden.

While CISOs and CIOs undoubtedly experience stress and fatigue, tsecurity practitioners, internal auditors, and compliance teams also get burned out. The stress of pre-audit activities, endless repetitive tasks, and constant back-and-forth requests for the same data, over and over again, lead to these career security professionals burning their candles till they reach the end of their wick.

The Costs of Noncompliance
Despite the extreme costs of compliance, in many cases, noncompliance costs can be significantly greater, as it often leads to considerable fines, loss of investor confidence, and damaged reputations. In taking a look at some of the biggest blunders in the past five years alone, we've seen British Airways ($230 million), Marriott ($123 million), Google ($57 million), and other large corporations quite literally pay the price for noncompliance. According to Telos' survey, organizations faced an average of eight fines over the last two years, costing them more than $460,000. 

Conquering Cloud Migration and Looking Forward
To add to the challenges faced by CISOs and cybersecurity professionals, migration of compliant workloads to the public cloud opens up an entirely new world of compliance activities. Some 94% of respondents to the Telos survey report that they face challenges when it comes to IT security compliance and/or privacy regulations in the cloud. The most likely challenge is their ability to keep track of the sensitive data stores or how many instances of that data exist at any one time. The cost, coupled with rapid changes in cloud regulations and unfamiliarity with the practice, are the main obstacles associated with cloud compliance.

With all of this in mind, there is no question that a better path forward is needed. Where possible, we need to let the data speak for itself through automation — a real answer that's ready today to alleviate audit fatigue. Automation can increase audit evidence accuracy, reduce time spent in the auditing phase, and improve the ability to respond to audit evidence requests more quickly. Additional solutions for relieving audit fatigue include establishing a compliance risk team to triage requests and offering solid, intelligible compliance training that employees can put into practice. Continuously improving your compliance program and being proactive, especially during slower periods, is another way to stay ahead of the curve.

In compliance, there is not always a one-size-fits-all approach. Finding the proper solution to handle compliance and audit fatigue may take some time for each organization, but it's clearly worth the effort.

Joining Telos in 2006, Steve Horvath established a new model for providing professional services in support of the company's Xacta risk management platform. He currently serves as Vice President of Strategy and Cloud with a focus on long-term strategic partnerships and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.