Automation In Compliance: Why It’s a Business Imperative and Where to Start
A recently released report from Coalfire and Omdia found that for the majority of organizations, growing compliance obligations are now consuming 40 percent or more of IT security budgets and threaten to become an unsustainable cost.
The report reveals key clues as to why compliance burdens are growing so dramatically. For one, many of the cyber standards are changing dramatically from point-in-time reviews to continuous, outcome-based requirements.
Second, there’s an extreme skill shortage within the cybersecurity talent pool, further straining organizations’ ability to keep up with compliance requirements.
Last but not least, budgets for compliance tend to stay stagnant even as compliance burdens and costs rise exponentially.
The survey findings presented in this report were collected prior to when COVID-19 became a global pandemic. As COVID-19 has triggered an economic recession that is unprecedented in scale, organizations have slashed their compliance budgets. In industries hit hard by COVID-19, such as travel, retail and hospitality, compliance personnel — employees in fraud and investigation teams — have been furloughed.
And this is all happening at a time when certain threats have become more dangerous as a result of the upheavals created by COVID-19.
COVID-19 Has Complicated the Risk Landscape.
Cyberattacks were already a major stressor for security leaders before the pandemic. Analysis by cyber experts revealed that organizations today are highly likely to become victims of data breaches due to vulnerabilities in the third-party apps they use.
The Ponemon Institute found that in the past two years, 53% of organizations have experienced at least one data breach caused by a third party. And a data breach costs an average of $7.5 million to remediate.
Unfortunately, as pandemic has pushed the above-ground economy into a major recession, the cybercrime economy appears to be charging ahead at full steam. The pandemic represents a once-in-lifetime opportunity for cyber criminals. With everyone suddenly having to work from home with lower security settings, and everyone using new types of software such as video conferencing apps at scale, cyber attackers know they now have a much wider target audience to attack.
Additionally, when employees take on additional work or face pressure to meet goals during financially difficult circumstances, risks of misappropriated assets or fudged financials typically increase. Anti-corruption organizations have warned that the economic upheaval caused by the pandemic could create an environment that’s ripe for bribery. Fraud risk is significant.
Privacy risks have also been magnified during this pandemic. To keep communities safe, regulators are requiring employers to collect employees’ personal health information and share certain information with health authorities to contain the spread of the novel coronavirus. For instance, OSHA recently revised its guidance to require employers to conduct investigations to determine whether employees who have contracted COVID-19 did so in the workplace.
Meanwhile, employers must be careful about how they’re storing this type of sensitive information. There are state laws that legally require employers to keep the health information of employees secure and confidential. If this information is disclosed to unauthorized parties, they run the risk of breaking certain states’ cybersecurity laws. Keeping employee personal identifiable information (PII) secure and confidential is difficult for employers that don’t have strong expertise in IT governance and data protection.
Further, we’re living through a time when few organizations are willing to take on additional third-party risks. Now is a bad time to give your customers reasons to worry about your security posture. In fact, the more quickly and systemically you can provide assurance that your systems are reliable, secure, and trustworthy, the better your customers will feel about you as a third-party vendor. Thus, staying on top of infosec audits and security questionnaires should remain a priority.
More than ever, organizations today need to keep their compliance procedures functioning properly; they need strong monitoring capabilities to make sure they can detect potential mistakes or misbehaviors and fix them before it’s too late. And equally importantly, each organization needs to ensure that they can meet security and compliance needs at the same time.
The Tension Between Security and Compliance
Meeting both security and compliance needs at the same time is a difficult thing to achieve for many organizations. For one, many businesses don’t have a dedicated compliance function. Rather, the security team does the compliance work; they handle endless requests for audits, documenting internal controls, making changes to internal controls, and so forth.
The work becomes a drag on the business, because as audit requests go up, the risks of error goes up as well. Plus, the security team has a day job of protecting the organization and its assets from hackers and malware.
Second, the tools organizations have been using to manage compliance workloads — usually a combination of spreadsheets, cloud file storage systems and email– are insufficient for their ever-growing compliance needs.
Without intentional actions, these challenges will become more daunting over time. For one, clients and sales prospects will want to see that your company’s security risks are under control, so that they can entrust their data with your business. So the requests for assessments and documentation will keep on coming.
Meanwhile, the new generation of privacy and data security regulations rules are here to stay; these rules impose formidable duties of care for the data a company has in its possession. And they hold the company responsible for third parties working with that data on the company’s behalf.
That means compliance with these regulations is about continuous monitoring and protection of data, rather than point-of-time audits. It’s also about vendor risk management, and your company’s ability to demonstrate competency at that task.
At this time, forward-looking organizations are turning to Continuous Compliance software to ensure they can fulfill their security and compliance needs at the same time. Tools that can automate repetitive tasks have proven to be useful in saving a security team time and money, and in helping organizations become more attractive to their business partners.
Automation Can Reduce Compliance Costs and Shrink Timelines
A recent study of IT security leaders commissioned by CoalFire found that the shift towards automation reduces assessment costs and timeline. 62% of surveyed companies said that automating evidence collection reduces their overall compliance impact.
Here at Hyperproof, we’ve seen similar findings from our own primary research. In fact, our founder and CEO, Craig Unger, had personally experienced the pain of having to manually gather documentation for SOC 2 audits while serving as the CTO at his previous company.
When Unger looked for software to help him automate the manual work of collecting evidence and responding to auditor requests and didn’t find anything that met his needs, he decided to start a new company that would tackle this problem. Unger, along with the founding team, talked to nearly 200 organizations to learn more about their challenges in security and compliance. Taking the learning from these organizations, the team started to build a solution.
Fast forward to June of 2020, Hyperproof has developed continuous compliance software that serves as a single source of truth for all compliance data. Hyperproof delivers a set of capabilities designed to drastically cut down manual work in the compliance realm: collecting and organizing documentation, keeping evidence up to date, responding to audit requests and more.
Hyperproof Helps Organizations Get Compliance Work Done Faster
Here are a few examples of product features that help drive efficiency and a reduction in compliance burden:
- CrossWalks: Requests for security assessments and audits have multiplied over time. Because different infosec frameworks often have similar requirements, it’s common for a team to duplicate effort as they attempt to fulfill multiple frameworks by creating separate sets of controls. Hyperproof automatically identifies the overlapping (or common) requirements and controls between different infosec frameworks. As such, a compliance team is able to design and manage a smaller set of controls to meet multiple compliance standards more efficiently. You can read this article to see the crosswalks we’ve already lit up.
- Smart Folders and Labels: Collecting compliance documentation and fulfilling audit requests can be a major time sink, especially when a team has to complete multiple audits each year. With Smart Folders and Labels (a Hyperproof concept), evidence files can be grouped together and filed into “Smart Folders”. A single piece of evidence then can be applied to several controls, and/or reused across multiple compliance frameworks. That means you can collect evidence once and automatically re-use it everywhere that evidence is required.
- API to automate evidence collection: If you have compliance evidence in cloud systems like Jira, Github, Workday, Checkr or other cloud services, you don’t need to manually pull in those pieces of evidence. Using the Hyperproof API, you can write code to detect compliance events, extract the evidence, and import it into Hyperproof.
- Integrations with cloud-based file storage systems where documentation is stored and automatic syncing. You may already have a working system for storing and managing compliance documentation built up in a file storage system such as G-Drive, One Drive, Dropbox or elsewhere. If you prefer to continue using those systems as your documentation repository, you can do that. You can configure your instance of Hyperproof so that the latest compliance documents stored within your cloud file storage systems are automatically synced into Hyperproof on a daily basis.
- Automated reminders to review controls and evidence to support continuous monitoring and ongoing compliance. It’s time consuming to set up multiple reminders to yourself and to other people to review controls and keep them up-to-date. Many times, controls fail because nobody knows that the control isn’t being performed or updated in a timely fashion. In Hyperproof, you can set up automated reminders to ensure that control owners are reviewing controls on a regular basis, ensure that testing and evidence collection is happening throughout the year, rather than right before an audit.
Further, Hyperproof also comes with reports to give teams a thorough understanding of the status of each compliance program and a high level view of their overall compliance posture. With real-time data on where things stand, teams can hone in on what remediations are needed, which controls need review, and know exactly where they need to focus their energy.
Learn More
If you’d like to learn more about how automation can be applied across your compliance workflows so that you can save time and money, we’d love to answer your questions.
Please don’t hesitate to reach out to us here at Hyperproof. Contact us for a personalized demo.
Check out the following case studies on how Hyperproof customers have benefited from using our Continuous Compliance software.
The post Automation In Compliance: Why It’s a Business Imperative and Where to Start appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/automation-in-compliance-business-case/?utm_source=rss&utm_medium=rss&utm_campaign=automation-in-compliance-business-case
