CISOs are turning to automation to address concerns about doing more with less, preparing for audits remotely, and speeding evidence collection, according to a newly released study.
Calendars for security and compliance audits are largely unchanged despite COVID-19, but the pandemic is straining security teams as they work remotely, according to the findings of a recent survey by automated audit prep provider Shujinko. The survey of North American CISOs documented the challenges facing security and compliance professionals preparing for a wave of upcoming audits and was conducted by Pulse in late June 2020. Responses were provided by 100 senior security executives at companies headquartered in North America.
The survey further found that CISOs are tasked with preparing for more than three audits on average in the next six to 12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes. The results show that migrating to the cloud is dramatically increasing the scope and complexity of audit preparation and rendering old methods and approaches obsolete, Shujinko said.
“CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out,” said Scott Schwan, Shujinko CEO and co-founder, in a statement. “Unfortunately, they’re simply not able to find them.”
SEE: Identity theft protection policy (TechRepublic Premium)
Instead, teams “are cobbling together scripts, shared spreadsheets, ticketing systems, and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation, and limited visibility,” Schwan added. “More than two-thirds of CISOs are looking for something better.”
The key research findings were that:
- CISOs are preparing for an average of 3.3 security compliance standard audits over the next six to 12 months. Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).
- Most common audits are for HITRUST, HIPAA, and PCI DSS. Fifty-one percent of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to 12 months, 45% are preparing for HIPAA, 43% for PCI, 41% for CCPA, and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.
- CISOs are worried about doing more with less. COVID-19 has amplified CISOs’ concerns about doing more with less (employees and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources, and ensuring that evidence is complete round out their top five CISO concerns.
- CISOs desperately want more automation. Seventy-two percent of security executives say they want to improve the automation of their audit preparation process and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.
- Two-thirds of CISOs dislike their current tool set. The survey found that CISOs are currently using a mix of homegrown scripts, spreadsheets, ticketing systems, shared documents, SharePoint, and email to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.
- CISOs have poor visibility into the audit process. No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a four out of five–suggesting poor executive line-of-sight into hitting audit deadlines.
- Audit processes don’t fit a cloud development model. Only 1% of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.