SOC 2®, PCI DSS, ISO 27001, HITRUST. These acronyms are just a few of a growing array of infosec compliance standards modern businesses have to comply with. As the number of compliance standards and annual audits grows, the costs of compliance are growing at an alarming and ultimately unsustainable rate. Hyperproof’s 2021 survey found that compliance teams are spending up to 50% of their time gathering evidence for different audits. Meanwhile, business stakeholders in operations, engineering and IT are experiencing audit fatigue — as they’ve pulled away from their regular tasks several times per year to participate in compliance efforts (often fielding repetitive questions from the internal compliance team).
What is audit fatigue?
Audit fatigue, also known as assessment fatigue, is the feeling of tiredness, weariness, frustration or exhaustion that people experience after they’ve been pulled away from their regular tasks repeatedly in order to participate in compliance efforts.
Ed Glover, current vCISO at Cloud Security Labs, lived through this type of ordeal in his previous roles as a CISO: “When I joined my last company, the firm was spending an enormous amount of time each year preparing for our PCI Level 1 and SOC 2® Type 2 audits — which were scheduled months apart. Even though 80 percent of the evidence across PCI and SOC 2® were the same, because the audits weren’t scheduled at the same time, the compliance team had to collect more information than necessary. We were interviewing developers, operations, and business people for the same information multiple times a year. Business stakeholders were starting to complain.”
Organizations need a sustainable way to mitigate audit fatigue
If this situation resonates with you, we’re here to share some good news: there is an easier way to manage multiple compliance efforts and audits. In this article, we’ll introduce you to compliance leaders who’ve tackled this challenge and show you how they’ve streamlined their audit prep process, saved a lot of time, and minimized disruptions and negative impacts to control owners and business stakeholders.
In a nutshell, here’s what they did:
- Examine the infosec compliance standards they’re audited against. Map out where there are common requirements across multiple standards/frameworks and where common evidence can be used.
- Talk to the external auditors for the respective audits and ask them to stack the audits back to back — so all auditors are evaluating the same pool of evidence.
- Once the auditors agreed to the new plan, they created a work back plan for internal stakeholders and a central repository for storing all collected evidence.
While one compliance leader we interviewed did the controls mapping (step 1) and evidence collection work (step 3) manually, the other individual decided to automate these workflows with Hyperproof and as a result saved even more time and resources than the first.
Minimizing audit fatigue: Tips From Ed Glover, former CISO at Five9
The situation
Prior to joining Cloud Security Labs as a vCISO, Ed worked as a CISO at a publicly-traded company that provides cloud contact center software. When Ed Glover first joined the firm, the company was subject to PCI Level 1 and SOC 2® Type 2 assessments each year. These audits were scheduled months apart. Even though 80 percent of the evidence across PCI and SOC 2® was the same because the audits weren’t scheduled back to back the compliance team had to collect more information than necessary.
The compliance team interviewed developers, operations, and business people multiple times a year – even though the questions they asked were mostly the same each time. For the PCI audit alone, over 100 stakeholders (e.g., developers, operations people across networking, infrastructure, and others) had to participate in the evidence-gathering process. For SOC 2®, many of the same individuals were interviewed and handled evidence requests.
Ed and his team had to figure out the freshness policy for different types of controls (e.g., a review of firewall rules should happen quarterly) and manually send reminders to control operators to submit fresh evidence. Frustrations were starting to intensify, with business stakeholders complaining that they couldn’t make more time to accommodate compliance efforts.
The changes
Noting peoples’ frustrations, Ed decided to bring those audits together. His team mapped out the questions that would cover both audits manually. They focused on collective evidence once and putting everything into a central repository — SharePoint in this case.
Given that the company worked with the same third-party assessment firm for both PCI DSS and SOC 2® assessments, the firm readily agreed to shift the assessment schedule so that their auditors were able to review the same set of evidence and finish their reviews in a condensed time period.
The results
By shifting the schedule of the audits, Ed estimates that the new process is at least 40 to 50 percent more efficient than the old process. Business stakeholders were much happier with the new process, because they now know that Ed’s team would make compliance requests only once a year, and they know in advance when it will happen. As such, business stakeholders were able to spend a lot less time addressing compliance requests.
Stopping audit fatigue: Tips from Richard Guerrero, Director of Risk and Compliance at Clarifire
The situation
Clarifire is an innovative SaaS company based in St. Petersburg, Florida. The company offers a workflow application with the versatility and flexibility to automate and improve interactive processes that drive customer service delivery across any industry.
Clarifire’s customer base consists of multiple financial institutions and healthcare organizations. These financial services and healthcare customers require Clarifire to demonstrate compliance with multiple security and data privacy standards and regulations. For instance, 75% percent of Clarifire customers ask to see Clarifire’s SOC 2® Type 2 report.
Rich Guerrero, Clarifire’s Director of Risk and Compliance, joined the company in 2017 to lead the risk management and compliance function. Each year, Clarifire has to complete three external audits regarding its information security posture: SOC 2® Type 2, TruSight, and KY3P. At that time, compliance work was managed manually in a complex spreadsheet.
Before Guerrero joined Clarifire, the three audits were scheduled months apart. Because the auditors required evidence to be at a certain level of freshness, control owners and operators had to provide the same evidence and answer the same questions three times each year. It also created work for Guerrero, who had to review the evidence and organize it for auditors three times a year.
The changes
To save time and reduce impact to control owners, Guerrero proposed to the three auditors that they should schedule these audits back to back. He asked the TruSight and KY3P assessors for two things: (1) to move up the date of Clarifire’s assessment, and (2) to accept SOC 2® evidence, which has different freshness requirements. Since the SOC 2® auditor’s freshness requirements were tighter than TruSight’s and KY3P’s, they readily agreed.
“Compliance requirements and customer expectations around security are ever-growing for our organization. We need to manage all the work in the most efficient way possible. When we are able to easily identify controls that can satisfy requirements of multiple standards and link them together, we are able to minimize redundant work,” says Guerrero.
Guerrero was aware that by scheduling the audits back to back, it required tighter coordination between him and the auditors, which left no wriggle room for each audit to run behind schedule. But even then, he felt that the benefits of the change would outweigh the costs.
To increase operational efficiency around compliance projects, Guerrero decided to look for compliance software with the following key capabilities:
- Mapping (or crosswalking) between different compliance standards and frameworks — so work such as control design, implementing and testing, and evidence gathering could be streamlined as much as possible.
- Ability to manage risks and compliance efforts in an integrated approach by mapping risks to controls (and compliance requirements).
- Intuitive to use — so that everyone who needs to participate in the company’s compliance effort could get their work done without much training.
After an evaluation process, Clarifire selected Hyperproof as its compliance operations platform. By using Hyperproof’s crosswalk feature, Guerrero is able to map the requirements of SOC 2®, TruSight, and KY3P to each other, and assemble a single set of evidence that would serve all three programs.
Guerrero is also using Hyperproof’s built-in freshness tracking feature to set freshness policies for each control and automated reminders for control owners to submit fresh evidence.
The results
Managing the evidence centrally in Hyperproof, controlling freshness with the built-in freshness tracking feature, and reusing the evidence for multiple frameworks allowed Clarifire to reduce audit preparation time by 50%. For control owners, providing evidence once a year instead of three times per year reduced their effort by 66%.
Guerrero celebrated the success of the Hyperproof implementation by retiring the compliance spreadsheet he inherited from his predecessor.
Additional resources
Want more resources on how you can reduce the burden of evidence management?
Register for our webinar with Motorola Solutions to see how their data protection compliance group was able to streamline and automate their evidence management process.
Watch our webinar with Motorola Solutions to see how their data protection compliance group streamlined and automated their evidence management process.
You can also check out our article below on additional evidence management tips.
3 Tips to Radically Reduce Your Evidence Management Burden for IT Security and Data Privacy Audits.
Monthly Newsletter