In the wake of a growing number of data breaches and privacy violations, cybersecurity teams have been forced to increase their security audits and comply with changing privacy regulations. This, in return, drains their resources from security operations and instead of focusing on the core functions, they end up investing more time in auditing.
2020 has been one of the most devastating years for enterprises, especially cybersecurity teams, who had to witness and deal with a significant number of data breaches and privacy violations. Though they have added advanced security tools to their portfolio to deal with evolving cyber threats, it is not the only thing they have to deal with right now.
Privacy has taken the spotlight in the wake of today’s privacy violations by a number of tech giants. This has forced multiple government agencies and industries to develop and enforce compliance and regulations that enterprises must follow and this has resulted in frequent cybersecurity audits. However, the increasing number of security breaches and subsequent audits has left security teams with no choice but to duplicate their mitigation efforts and frequently engage in audits instead of focusing on core functions.
As per a survey conducted by Telos, on average, enterprises are required to comply with 13 different security or privacy regulations. The survey also found that enterprises are spending around $3.5 million annually and have 22 dedicated employees working on privacy audits.
Frustration has been increasing over audit requirements since c-suite executives think of it as an annoying and cumbersome process rather than something that will actually help them in adding value.
Addressing the security audit issue is not easy. However, there are a few strategies that CSOs can follow to deal with too many audits with overlapping requirements. Here are a few of them:
- Implementing a baseline standard
When enterprises have to deal with multiple federal, industry as well as internal security requirements, they should implement a set of baseline security controls developed via frameworks or standards that are available from the National Institute of Standards and Technology (NIST). The assessment procedures and controls in these standards can easily be mapped with the ones that an enterprise may need to comply with. The strategies listed in the NIST publications enable an enterprise to secure itself against social network threats, application vulnerabilities, and cloud and other mobile environment threats.
- Having an internal audit team
Only relying on security teams for cybersecurity audits is not feasible to reduce the audit burden as well as associated audit fatigue. Therefore, enterprises must have an internal audit team that will not only reduce the audit burden but also help spread awareness of security standards, compliance requirements and the documentation requirements as evidence for proving that mandated controls are in place.
Even if an enterprise does not have sufficient resources needed to create a formal internal audit team, having one dedicated resource with expert-level knowledge of all application standards and audit requirements can make a significant difference.
- Considering a risk-based approach
With a risk-based approach in place, CSOs can assess exposure to cyber risks of an enterprise. This enables them to identify and prioritize controls and processes to mitigate these risks. Furthermore, this approach enables enterprises to customize their defenses for specific exposures and also helps them to assess and validate the defenses that are working as intended.
Cybersecurity audit fatigue is still a challenge and will continue to be one as long as cyber threats are advancing. However, the above security audit strategies can be a great arsenal for enterprises in their battle against cyber threats.