At this time, cybersecurity, data privacy issues are viewed as an organization-wide concern. According to a 2019 survey conducted by Marsh and Microsoft, cyber risk has become even more firmly entrenched as an organizational priority in the past two years. Yet, at the same time, organizations’ confidence in their ability to manage the risk declined.
Organizations’ confidence in their ability to manage cyber risk has declined for a couple of reasons. For one, the threats themselves are evolving rapidly, with cyber criminals developing increasingly sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations.
Organizations have attempted to stay ahead of the threats by hiring more security experts and purchasing new tools to better analyze, identify, prevent and/or remediate cyber risks. However, many of these security and compliance professionals are so bogged down in administrative tasks that they’re left with little time to focus on activities that truly move the needle in keeping their organizations safe.
In Hyperproof’s 2020 IT Compliance Benchmark Report, we found that the typical professional responsible for security, data privacy, and compliance initiatives spends approximately one full work day every week on administrative activities.
Instead of focusing on activities that help to get a greater handle on the real risks — such as conducting risk assessments, updating security policies, and implementing applications to support a zero-trust approach to security — security and compliance professionals are spending their precious hours on tasks such as:
- Searching through emails to find documents needed for audits
- Finding information needed to meet compliance requirements
- Filing, storing, managing compliance documentation
How much does this cost organizations?
Let’s do the math based on hard data: If each individual spends one work day every week on administrative activities, this adds up to 416 hours or 52 days in a year. The typical mid-size technology organization must adhere to anywhere between 5 to 15 IT compliance frameworks and has at least 10 full-time employees dedicated to IT security and compliance.
Let’s assume that a compliance professional at the Manager level makes $800 per day when we factor in base compensation and benefits.
This means that an organization with a compliance team of 10 people would have spent $ 416,000 each year on low-value, administrative activities.
This administrative overhead creates enormous opportunity costs for organizations. Every hour spent on administrative tasks is an hour not spent on other high-value tasks, such as:
- Investigating security alarms
- Updating security policies and procedures
- Implementing new tools that can better identify threats and prioritize their work
- Training employees to up-level their cybersecurity knowledge
At an organizational level, these issues can result in consequences such as major risks being missed or vulnerabilities left unaddressed. Furthermore, this problem heightens the risk of turnover of key talent in the security and compliance function and the loss of critical institutional knowledge. In short, administrative overhead can be a major threat to your security.
Additionally, we believe this problem will only become more pronounced in the future, as zero-trust (“Verify, then trust”) becomes the dominant operating model for organizations when it comes to their vendor/supplier relationships.
Why are organizations spending so much time on compliance documentation?
A Lack of Efficient Tools For Collecting and Manage Compliance Documents
This administrative overhead is, first and foremost, the result of a lack of efficient tools for managing IT audits and compliance processes. In Hyperproof’s 2020 IT Compliance Benchmark Report, we found that 57 percent of surveyed organizations are still using ad-hoc tools — a combination of spreadsheets, email, and file storage systems — to manage their audit and compliance-related workloads. These tools simply aren’t built to handle the work that has to be done by IT compliance managers.
Given the critical importance of IT security and data privacy, many compliance managers today are managing anywhere between 5 and10 IT compliance frameworks at once and must go through one or two external audits every month.
To prepare for each audit, a compliance manager has to assess existing controls, match their internal controls to the requirements of the compliance framework, collect evidence for every control, and link each piece of evidence to the right control. Given that each compliance framework (e.g., ISO 27001) may have several hundred requirements and several hundred controls, completing this work efficiently and accurately with spreadsheets and emails is close to impossible. Further, to ensure that their organization is prepared to pass each audit, a compliance professional needs to understand where things stand at any given time, know what they need to do next, and keep track of all the people who need to submit documents and do their part.
DigiCert, a certificate authority, is an organization that faces all of these challenges. Because DigiCert must meet a variety of different compliance standards — including SOC 2, WebTrust, NIST 800-53, PCI DSS — and pass audits for each, managing the high volume of evidence files was especially time consuming and tedious. Without a dedicated tool, the team spent multiple days gathering these documents manually for every audit.
The Changing Nature of Buyer-Seller Relationships: “Verify, then Trust” Is On Its Way to Becoming the New Operating Model.
Organizations are obliged to spend more and more of their resources on compliance and audit-related work due to external factors such as:
- Business buyers asking their vendors more and more questions about their security and data privacy measures. In an age where cyber risks have become pervasive, organizations’ trust in their vendors and suppliers has declined. In fact, many organizations have moved towards a zero-trust operating model, where no one is to be trusted until they have been verified. While Fortune500 enterprises have already stood up security and privacy standards and attestation programs for their suppliers and vendors (e.g., Microsoft’s SSPA), we can expect smaller organizations to move in this direction as well in the next few years.
- Regulators in the U.S. and EU enforcing data privacy and cybersecurity laws more often than in past years. Organizations are obliged to keep detailed records of their compliance measures in case they become the subject of an investigation.
- Increasingly sophisticated cyber attack schemes keeping organizations on edge. Security leaders have realized that they must keep a close eye on their environment and review evidence of compliance activities on an ongoing basis to verify that all security controls are working as intended.
How to move forward
In the next few years, the demands on compliance professionals’ time are expected to increase dramatically. The last thing you want is to allow administrative overhead to become another threat to your security. Tools that help teams eliminate administrative overhead and other distractions while giving them greater insights into how to prioritize their work will be critical in this new era. For example, you can look for information security, compliance operations, and privacy management applications to help your teams increase their capacity and their ability to focus on the things that matter most.
Hyperproof Eliminates Administrative Overhead From IT Audits and Compliance Processes
Here at Hyperproof, we believe that the best way to minimize your risk exposure is to develop an on-going compliance program that involves continuous assessment and review of your risks and internal control environment.
Hyperproof has built a compliance operations software that helps security and compliance teams manage their compliance processes and audits in a streamlined way, eliminate administrative work, and easily identify any gaps in their internal control environment. The application also enables teams to standardize their operations and move towards a state of continuous assessment and review.
“Hyperproof is dispensing with much of the administrative overhead necessary to begin providing metrics and valuable insight into our audit readiness – more of my time will be freed to work on strategic tasks aimed at improving the security and compliance posture of the organization. This time saving is a big deal because it allows us to more effectively scale with existing resources,” says Aaron Poulsen, Director of Product Security and Compliance at DigiCert.