Another week, another report capturing the strains and dysfunction in cybersecurity risk management. This time, we have a survey of IT security and compliance professionals who still struggle to move beyond planning phases and are burdened with duplicative audits and a flood of customer documentation requests.
The report comes from A-LIGN, which sells software to help businesses cope with cybersecurity audits and related risk management issues. It just published its 2022 benchmarking report, which polled more than 700 cybersecurity risk professionals about their trials and tribulations these days. Among the more notable findings…
- Most companies are performing multiple compliance audits every year. Eighty-five percent of respondents said they routinely conduct two or more audits annually, from SOC 2 to HIPAA to HITRUST to FedRAMP and lots more.
- Fumbling your cybersecurity compliance can hurt. Twenty-two percent of respondents said they lost a business deal because they were missing a compliance certification.
- Many companies still aren’t prepared for a ransomware attack. Only 39 percent of respondents said their firm already has a ransomware response plan in place, while 40 percent are still planning to develop one.
- Zero-trust is gaining popularity as a cybersecurity strategy. More than half of respondents (58%) agree that zero trust is a strategy they must implement in the next 12 months.
- Budget support is mostly holding steady or going up. Forty-two percent said they expect their budget for cybersecurity to increase in the next year, and another 35 percent expect the budget to hold steady. Only 22 percent expect a decline.
Taken altogether, these results (and others in the report) send two messages. One message is that audit, compliance, and security executives clearly grasp the problems around cybersecurity compliance: too many audits, would-be customers wandering off when you can’t document compliance quickly, and a need to anticipate ransomware attacks (through strategies such as zero-trust architecture). So at least we know what’s going wrong.
The other message, however, is that too many companies are still quite early in their response to those problems. I mean, 40 percent don’t have a ransomware response plan yet? That’s something that should have been completed, like, last year. Companies also need to get ahead of these surging demands for security compliance audits, before your security team either drowns in documentation requests or throws itself out the window in sheer frustration.
Needed: Better Compliance Approach
That bad-news message above is not meant to blame CISOs and compliance officers personally. Most of them are working as hard as they can, as best they can. Rather, the issue here is that cybersecurity compliance is becoming such a complicated and demanding endeavor that corporate compliance departments can’t keep up.
That is, compliance teams are trapped in a world where they can only respond tactically, to one customer demand or audit request after another — in a world where customers and regulators keep demanding more and more, because the importance of cybersecurity keeps going up and up. What compliance teams need is a better strategic approach to cybersecurity, information governance, and compliance; so that meeting all those individual requests is easier.
Obviously this is an issue that A-LIGN and lots of other audit software vendors want to explore, because they sell software promising to deliver exactly that strategic capability. (Hence so many vendors publish these benchmarking reports in the first place.)
Well, whatever. Shortcomings in compliance technology are a pressing problem in modern business regardless of who raises the question. Just the other day we had a post about workforce shortages in cybersecurity and audit, and that headache is very much related to this one. Compliance and security teams need to make better use of technology to alleviate manpower shortages, provide better assurance to the board and other stakeholders, and to help the company advance on its business objectives.
What should that technology be able to do? We can outline a few main points.
Better mapping of controls and audit requirements, so you can eliminate duplicative controls and consolidate audits. The A-LIGN report, for example, noted that SOC 2 has 144 controls and ISO 27001 has 137, for a total of 281 controls you test and document when the audits are done separately. But when you map controls to audit requirements and do both audits together, you only need to process 207 controls— a reduction of 26 percent.
Better escalation and reporting, so you can understand your overall posture for various audits. First, that lets you communicate more effectively with business unit leaders so you can get these audits done: “Frank, you were supposed to address this control two days ago, it’s still not done, and you’re going to hold up progress on the rest of the audit.” Second, visibility into your audits helps you communicate more effectively with the CEO and the board: “Here’s the evidence of how we keep finding issues with weak access controls and need to revamp that whole process.”
More compatibility with compliance frameworks, so you can keep pace with regulatory change or customer audit requests more easily.
The Pressures Keep on Coming
We also have another source of pressure to consider: the Biden Administration is leaning hard on companies to do better at cybersecurity as part of its national security strategy.
That message traces back to the Biden Administration’s executive order on cybersecurity, which came out one year ago this month. That order directed government agencies (and strongly encouraged everyone else) to embrace zero-trust network architecture and multi-factor authentication for better access control, and called for more internal control over the third-party code that organizations use in their own software code — complete with audits to confirm that those controls are effective.
This Biden Administration push for better cybersecurity is all about making businesses more resilient to external attacks, so that those companies won’t end up derailing other parts of business and civic life. (See Colonial Pipelines, ransomware attack in 2021, leaving 100 million Americans wondering whether they’d have enough gasoline for their cars.)
Well, you’ll need to document your company’s resilience somehow, and that’s what cybersecurity compliance is, really: the ability to demonstrate that your security controls meet certain standards. The more quickly and easily you can do that, the more trustworthy your business will be to others. So a strong compliance program, driven by strong technology, really is going to be a competitive advantage in years to come.
Like I said, the A-LIGN report shows that lots of compliance officers grasp that fundamental point.
But like I said, the A-LIGN report shows that lots of companies aren’t there yet.