CISOs struggle to prepare for compliance audits due to COVID-19

A new study reveals that calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely.

The survey from automated audit preparation company Shujinko shows that CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but are struggling with inadequate tools, limited budgets and personnel, and inefficient manual processes.

The results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

"This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them," says Scott Schwan, Shujinko CEO and co-founder. "Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better."

The most common audits are for HITRUST, HIPAA and PCI DSS, 51 percent of CISOs surveyed indicate that they are preparing for a HITRUST audit in the next six to twelve months. While 45 percent are preparing for HIPAA, 43 percent for PCI, 41 percent for CCPA and 36 percent for an internal audit. In addition, 77 percent of the companies preparing for SOC-2 audits were software companies.

CISOs are also worried about doing more with less. COVID-19 has amplified these concerns with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out the top five CISO concerns.

Automation is high on many agendas, with 72 percent of security executives saying they want to improve the automation of their audit preparation process. It's also cited as the number one element most CISOs would change if they could. Team communication and collaboration make up the top three most desired improvements.

You can find out more on the Shujinko site.

Image Credit: donskarpo / Shutterstock