Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Stephen Horvath
Stephen Horvath
Connect Directly
E-Mail vvv

The Sameness of Every Day: How to Change Up Audit Fatigue

And with more data compliance laws on the way, audit fatigue could be a real challenge for infosec professionals.

Many of you know (and some love) the 1993 movie Groundhog Day. For those who haven't seen it, the main character, Phil Connors (played by Bill Murray), is forced to live the same day over and over until he gets it right. He meets the same people in the same places and experiences the same moments wherever he goes. Even the same song — Sonny and Cher's "I Got You, Babe" — is playing when his clock radio comes on at the same time every morning. 

The challenge he faces is that he's been given no rules or guidelines about how to get out of this fix. Nothing he does can break the cycle of waking up and reliving the same events day after day after day. In my conversations with colleagues that deal with IT risk or privacy compliance, their experiences begin to sound identical to Phil's trapped existence. Why? I think a large part of it is the frustration and exhaustion of having to report on the same data about the same security controls over and over, every time a new audit request comes in. 

Related Content:

The Cybersecurity Maturity Model Certification: Are You in Compliance?

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Fatigue comes in many forms, whether it's work fatigue, Zoom fatigue, or COVID fatigue. There is no question that a large part of work fatigue for security professionals stems from compliance requirements. Lately, it feels like a new regulation or compliance standard is introduced every few months. In 2018, we saw the introduction of the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Two major privacy regulations in one year certainly left organizations overwhelmed with more standards to comply with in addition to what was already on their plate. While these regulations are needed, it looks like GDPR and CCPA are just the beginning.

The Costs of Compliance 
Now that the dust has settled on these major regulations, it is only a matter of time before other states follow suit and begin to implement their own standards, which inevitably means more compliance headaches to come. According to a recent survey by Telos Corp., commercial organizations must comply with an average of 13 different IT security and/or privacy regulations. On top of that, organizations spend around $3.5 million annually on these activities, and it takes three working days to respond to a single request. When you break it down, that means that compliance audits consume an average of 58 working days each quarter. And let's remember that's an average across sectors, not just heavily regulated industries like financial, healthcare, or energy.

Organizations across industries universally experience audit and compliance fatigue. With the additional fatigue people and enterprises face in so many other areas at this point in time, alleviating this particular form should be at the top of every organization's list. The common denominator behind every company is its workforce — the personnel that keep things running and respond to every crisis. However, they are experiencing an unprecedented amount of stress, and the infosec community is just waking up to the serious problem and growing prevalence of burnout across the industry.

Don't Discount Burnout
According to a CISO Stress Report released earlier this year by Nominet, 88% of CISOs suffer from moderate or high stress. Almost half of those surveyed revealed that these stress levels have impacted their mental health. In fact, the pressures on CISOs are so significant that Nominet even developed a CISO Stress Calculator to support this finding. Burnout is yet another form of fatigue fueled in part by demanding compliance regulations, and organizations are working to find ways to ease this burden.

While CISOs and CIOs undoubtedly experience stress and fatigue, tsecurity practitioners, internal auditors, and compliance teams also get burned out. The stress of pre-audit activities, endless repetitive tasks, and constant back-and-forth requests for the same data, over and over again, lead to these career security professionals burning their candles till they reach the end of their wick.

The Costs of Noncompliance
Despite the extreme costs of compliance, in many cases, noncompliance costs can be significantly greater, as it often leads to considerable fines, loss of investor confidence, and damaged reputations. In taking a look at some of the biggest blunders in the past five years alone, we've seen British Airways ($230 million), Marriott ($123 million), Google ($57 million), and other large corporations quite literally pay the price for noncompliance. According to Telos' survey, organizations faced an average of eight fines over the last two years, costing them more than $460,000. 

Conquering Cloud Migration and Looking Forward
To add to the challenges faced by CISOs and cybersecurity professionals, migration of compliant workloads to the public cloud opens up an entirely new world of compliance activities. Some 94% of respondents to the Telos survey report that they face challenges when it comes to IT security compliance and/or privacy regulations in the cloud. The most likely challenge is their ability to keep track of the sensitive data stores or how many instances of that data exist at any one time. The cost, coupled with rapid changes in cloud regulations and unfamiliarity with the practice, are the main obstacles associated with cloud compliance.

With all of this in mind, there is no question that a better path forward is needed. Where possible, we need to let the data speak for itself through automation — a real answer that's ready today to alleviate audit fatigue. Automation can increase audit evidence accuracy, reduce time spent in the auditing phase, and improve the ability to respond to audit evidence requests more quickly. Additional solutions for relieving audit fatigue include establishing a compliance risk team to triage requests and offering solid, intelligible compliance training that employees can put into practice. Continuously improving your compliance program and being proactive, especially during slower periods, is another way to stay ahead of the curve.

In compliance, there is not always a one-size-fits-all approach. Finding the proper solution to handle compliance and audit fatigue may take some time for each organization, but it's clearly worth the effort.

Joining Telos in 2006, Steve Horvath established a new model for providing professional services in support of the company's Xacta risk management platform. He currently serves as Vice President of Strategy and Cloud with a focus on long-term strategic partnerships and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...