We’re nearing the end of the year, a time when many people start to reflect and consider changes they may want to make in their professional and personal lives in the coming year.
Living through a global pandemic has made life tougher for all of us — some far more than others. According to the Bureau of Labor Statistics, U.S. unemployment was 7.9 percent as of September. That equates to about 12.6 million people. Many who are still employed found themselves working longer hours, taking on new responsibilities, and having to get more work done with fewer resources.
Information security, compliance professionals and audit executives faced challenges they’ve never encountered in their career.
In March 2020, millions of workers were sent to work from home by their employers who didn’t have a plan for how to maintain cybersecurity under a radically different work environment. Security and privacy controls that were set up for physical offices suddenly became irrelevant.
CISOs, IT security, and compliance professionals were challenged with questions like:
How do we identify all new assets tapping into our corporate network and data? What’s the right mix of policy and training for employees to think carefully about security, versus security controls that block new devices? Do we know if those responsible for maintaining the security of key systems are still with the company?
Security and compliance professionals in 2020 had more external threats to address, new internal uncertainties to resolve, and, in many cases, fewer resources to do the work.
Meanwhile, the core responsibilities compliance professionals have always had aren’t going away. They still have to complete scheduled audits and recertification processes for infosec frameworks like ISO 27001, PCI DSS, SOC 2, and others.
It would be an understatement to say that compliance and information security professionals have had a stressful year. Meanwhile, those who are unhappy with their jobs have more opportunities than ever before to seek greener pastures.
Research suggests that mass remote working in the U.S. is here to stay, even after COVID-19 recedes. Gartner says that two-fifths of employees are likely to work outside the office at least some of the time post-pandemic, up from 30% before the virus struck. When employees work remotely, the risk of them quitting is higher. Many organizations have started to see the benefits of remote work, and as such, have expanded their candidate searches across the country.
Top talent in roles where remote work is feasible have more opportunities to jump ship than ever before.
With all of that said, it’s important for CISOs and business leaders to be prepared to see greater attrition within their cybersecurity and compliance professional workforce in the near future. While there’s a lot that leaders can do to try to retain their best employees, turnover isn’t always preventable.
As a CISO, audit executive, or business leader, are you prepared for this scenario? Do you have a plan to mitigate the risk of losing valuable, institutional knowledge on compliance-related matters if key members of your compliance team were to quit?
Mitigating the Costs of Turnover
Let’s say that a key member of your compliance team has left the company. This individual’s team was responsible for the company’s ISO 27001, SOC 2, and PCI recertification processes for the last three years. Now, you’ve hired a new team member to oversee and execute your ISO 27001 recertification process. The audit is scheduled two months from today.
How would you onboard a new person so they are able to get through the ISO 27001 recertification process without experiencing major hiccups? How easy or difficult would the task be? Of course, the answer is that it depends on how well your compliance and audit-related activities are recorded and tracked.
To onboard this new individual, you’ll need to find answers to questions like:
- Where are the records of ISO 27001 activities from previous years kept?
- How useful are these records?
- Did your former compliance leader keep track of all requirements of ISO 27001 framework as well as the associated controls in a single place?
- Which controls exist and are used to fulfill each requirement of ISO 27001?
- Which controls are still relevant and operating as intended?
- Who is responsible for performing each control?
- How critical is each control? Are there guidelines on how often a control should be tested or reviewed?
- What evidence or proof is associated with each control? In other words, is there any information that would guide the new employee on what type of evidence would satisfy the auditor?
- What documents did the auditor ask for last time? And what documents were provided?
- What sorts of actions did the team take based on the auditor’s report? Did they create any issues or remediation items?
- Did any remediation items get done? If so, were the results satisfactory?
If your organization had done its information security compliance work through a makeshift system –with spreadsheets, a file storage system, email and a project management system — it will be extremely difficult and time-consuming to get the answers you need to help the new employee do their job.
Unfortunately, this is the situation many organizations find themselves in today. Each time a compliance professional leaves the organization, a large amount of institutional knowledge disappears with the individual. The team left behind has to spend an enormous amount of time putting the pieces back together, much like attempting to complete a puzzle without seeing the full picture on the puzzle box.
Use a Compliance Operation Platform to Retain Institutional Knowledge
On the other hand, when an organization operates with a central compliance operation platform — one that houses all the compliance frameworks an organization adheres to, manages all the work that needs to be done (e.g., control owner assignments, control testing schedules, timeline of upcoming audits, tasks to collect evidence), and hosts an organization’s entire population of evidence — getting a new hire up-to-speed becomes much easier.
Hyperproof is a compliance operations platform that helps compliance teams get day-to-day work done efficiently and serves as your institutional memory. With Hyperproof, you can reduce the costs of turnover and the loss of valuable knowledge and empower your people to be far more productive. Here are Hyperproof’s key capabilities that support smooth transitions after staff changes:
- Hyperproof is a central repository for your infosec compliance work. It houses all of the compliance frameworks your organization needs to adhere to.
- The platform allows compliance managers to keep track of all the work that their team needs to do, including mapping controls to compliance requirements and assigning control ownership to individuals or teams within the business units.
- Each control is tracked in detail: who operates the control, whether a control is fully implemented, whether it’s been tested, and whether it’s effective or not.
- Hyperproof serves as the repository for your entire population of evidence, so you can always see what evidence was provided to an auditor for a specific request during previous audits.
- All records of evidence collection activities are tracked from multiple perspectives: Evidence can be stored in folders, or tied to a control or a specific item in a Document Request List from the external auditor.
- All activities that happen in Hyperproof are tracked, so you know who did something, when it was done, and what exactly was done.
Compliance and information security professionals have always had demanding jobs, but 2020 was a particularly challenging year for those in the industry. There is currently a worldwide shortage of individuals with cybersecurity and compliance skill sets, and their skills continue to be in high demand. With remote work here to stay and recruiters expanding candidate searches to more locations, top talent will inevitably be tempted to look around. It is estimated that losing an employee can cost 1.5 to 2 times the employee’s annual salary. For more senior employees, the financial burden rises.
Savvy leaders should keep a close eye on their team members, check-in regularly with each individual to watch for signs of flight risk, and, most importantly, have a compliance operation system in place to retain institutional knowledge in the event that key individuals move on from their organization.
To see how Hyperproof can help your organization maintain a consistent compliance program cost effectively, sign up for a personalized demo.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/compliance-team-turnover-costs/