CISOs struggling to prepare for upcoming security compliance audits

Survey finds CISOs highly interested in automation to address major concerns about doing more with less, preparing for audits remotely and speeding evidence collection

September 18, 2020

Shujinko announced the results of a survey of North American CISOs documenting the challenges facing security and compliance professionals preparing for a wave of upcoming audits. The survey, a joint effort between Shujinko and Pulse, found that calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely. Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes. Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO and co-founder. “Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”

Key Research Findings:

CISOs are preparing for an average of 3.3 security compliance standard audits over the next six to twelve months. Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).
Most common audits are for HITRUST, HIPAA and PCI DSS. 51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.
CISOs are worried about doing more with less. COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.
CISOs desperately want more automation. 72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.
Two-thirds of CISOs dislike their current tool set. The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.
CISOs have poor visibility into the audit process. No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 - suggesting poor executive line-of-sight into hitting audit deadlines.
Audit processes don’t fit a cloud development model. Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.

This survey was conducted by Pulse in late June 2020. Responses were provided by 100 senior security executives at companies headquartered in North America. For more information, visit shujinko.io.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.