Survey finds CISOs highly interested in automation to address major concerns about doing more with less, preparing for audits remotely and speeding evidence collection

September 18, 2020

No Comments

Shujinko announced the results of a survey of North American CISOs documenting the challenges facing security and compliance professionals preparing for a wave of upcoming audits. The survey, a joint effort between Shujinko and Pulse, found that calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely. Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes. Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO and co-founder. “Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”

Key Research Findings:

CISOs are preparing for an average of 3.3 security compliance standard audits over the next six to twelve months. Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).
Most common audits are for HITRUST, HIPAA and PCI DSS. 51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.
CISOs are worried about doing more with less. COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.
CISOs desperately want more automation. 72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.
Two-thirds of CISOs dislike their current tool set. The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.
CISOs have poor visibility into the audit process. No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 - suggesting poor executive line-of-sight into hitting audit deadlines.
Audit processes don’t fit a cloud development model. Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.

This survey was conducted by Pulse in late June 2020. Responses were provided by 100 senior security executives at companies headquartered in North America. For more information, visit shujinko.io.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

CISOs struggling to prepare for upcoming security compliance audits

Survey finds CISOs highly interested in automation to address major concerns about doing more with less, preparing for audits remotely and speeding evidence collection

Related Articles

Related Events

Report Abusive Comment