An odd blog for a founder and CEO of a compliance company – but there it is. We all know that hacking is at an all time high. (Data Breaches up 38% in Q2 2021) But so is the amount of money that enterprises spend on compliance (The Average Cost of Compliance per Company is $5.47M) So the question is posed: “Is Enterprise Compliance Helping or Hurting Against the Attacks”?
It certainly can be stated that the hours that IT Security departments spend collecting data for the ever growing regulatory compliance measures and regulatory guidances are hours NOT being spent strengthening our IT systems and investigating security events.
For example the average SOX audit is taking 300 hours per enterprise per year. The average cost for a small site SOX audit (3 nodes) is now $975k an 18% YTD increase (Protiviti) The average HIPAA audit is taking 100 hours per enterprise.
These hours are coming from some groups FTE and contractor budget. What is not being spoken – is often these hours and dollars and coming from the budget of groups that are supposed to be securing us against these breaches.
As stated in the Dark Reading article “10 Articles That Prevent Security Pros From Doing Their Jobs”, 9. Compliance and Reporting Runaround:
Compliance activities are an integral part of the security function, but CISOs and their teams often spend so much time on the audit treadmill verifying their minimal security posture that they don’t have time for meaningful improvement.
I was quoted:
“The biggest blocker in the whole process is rarely discussed,” says Garret Grajek, CEO of YouAttest. “It’s never stated, but a large percentage of an IT security staff’s job is spent gathering reports and documenting changes and security events for governance and compliance.”
But don’t take my word for it – here’s a quote from an IT compliance officer that I had the pleasure of working with at a couple of enterprises:
“Compliance complexity and the current manul process involved are devouring IT security and IT compliance resources” Craig Guinasso, CISM, CISSP, Senior Director, Privacy & Data Security Compliance at Guardant Health
Is IT Compliance Helping or Hurting Against Hacks?
The key to these IT compliance measures, be it SOX, SOC2, PCI-DSS, HIPAA/HITRUST and now CMMC is evidence provided of actions and state for the controls. This is often a time-consuming process of an external auditor making request for evidence of an action and event and the processes and procedures involved with the incidence. In addition, in all these guidances there is a requirement for a review of all identities and groups that have access to both data and resources to their regulated information. These practices fall are detailed in the NIST Cyber Security Framerwork 800-53 rev 5 under PR.AC-1 and PR.AC-4.
The manual processes of these access reviews, which are usually done via XLS spread sheets:
- Export data from identity/application source CSV
- Identify Managers
- Create separate attestations per manager
- Send attestations to managers
- 1st line managers delegate access review to reporting managers
- Pass to multiple reviewers when necessary
- Have controller review reports during process
- Nag non-responding managers
- Collate/Formulate reports
- Create a presentable copy for auditors
This is the type of work identified by the CISOs and compliance directors that are running these access reviews. It’s painful, time-consuming process of collecting data, querying team members, nagging team members, collating data and formulating reports. And to be blunt… very little of this effort leads to a more secure environment.
The solution – we must bring in tools like YouAttest that automate the review process. Otherwise – we will never free up enough time from our resources to protect against the onslaught of ransomware and identity hacks.
If you feel like there is more information that we should add to this article ” Is IT Compliance Helping or Hurting Against Hacks?”, please do write back to us.
YouAttest is automated identity audit tool for Okta, AD and other resources. Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits. Schedule an appointment with a YouAttest identity audit professional.