The regulatory compliance drumbeat just keeps getting louder and louder each year. It started with Sarbanes-Oxley more than two decades ago, and there’s no stopping the freight train of compliance. We now have SOC 2, HITRUST, CMMC, and dozens of other laws, regulations, and frameworks for which organizations have to comply with. It’s a lot, no question about it, and it's causing challenges for sure. Audit fatigue. Internal workplace friction. The list goes on and on. So the question begs. Are excessive audits a problem in cybersecurity? The short answer is, yes. The better answer is, no, so long as audits are not excessive and drain an organization's critical operational and IT resources.
Unfortunately, many “...cybersecurity teams get bogged down in endless audits, uncovering too many issues beyond their capacity to address. These costly and duplicate audits often suck up a great deal of time, diverting teams from their primary mission of securing critical systems. They also create friction with IT teams, who feel that the loosely coordinated audit teams keep asking the same questions. As audit fatigue invariably kicks in, these reviews become worthless as the audit reports are archived and forgotten after they are issued.” 1
According to Phillimon Zongo, a Forbes Councils Member, “But through my company’s work training cyber leaders from more than 55 countries, I have observed no direct correlation between cybersecurity spend and cyber resilience. As bad guys keep outpacing cybersecurity teams, some business leaders feel like they are pouring money into leaky buckets. The answer, in part, lies in resource misallocation. Here are three common ways I’ve noticed cybersecurity teams waste money.” 2
The key to a successful audit is being comprehensive, yet also efficient, and providing an independent assessment that yields a true ROI for an organization.
1 FORBES
2 FORBES