COVID-19 Amplifies CISOs’ Concerns about Doing More with Less

Chief Information Security Officers are preparing for an average of 3.3 security compliance standard audits over the next six to 12 months Of the CISOs working for software companies, 77% said they were preparing for SOC-2 audits Security seniors are worried about their current resources facing upcoming audits and security compliance Chief Information Security Officers (CISOs) must prepare for more than three audits on average in the next six to 12 months but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.

  • Chief Information Security Officers are preparing for an average of 3.3 security compliance standard audits over the next six to 12 months
  • Of the CISOs working for software companies, 77% said they were preparing for SOC-2 audits
  • Security seniors are worried about their current resources facing upcoming audits and security compliance

Chief Information Security Officers (CISOs) must prepare for more than three audits on average in the next six to 12 months but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.

Audit solutions provider Shujinko and Pulse teamed up to survey 100 North American CISOs and document the challenges facing security and compliance professionals preparing for a wave of upcoming audits.

The new work procedures amid COVID-19 and the rapid migration to the cloud have CISOs struggling to do more with less – or, at best, with the same resources they had on hand before the pandemic.

According to the survey results, CISOs are preparing for an average of 3.3 security compliance standard audits over the next six to 12 months.

“Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.),” surveyors said.

But that’s only the tip of the iceberg as far as compliance hurdles go. CISOs are also bracing for audits for HITRUST, HIPAA, and PCI DSS. More than half of respondents indicated they are preparing for a HITRUST audit in the next six to twelve months, while 45% are preparing for HIPAA, 43% for PCI, 41% for CCPA, and 36% for an internal audit.

Of the CISOs working for software companies, 77% said they were preparing for SOC-2 audits. The SOC 2 rulebook defines how to manage customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. More importantly, SOC 2 reports are unique to each organization, meaning each business must ‘design’ its own set of controls to comply with one or more of the trust principles.

The survey reveals that CISOs are worried about their current resources facing upcoming audits and security compliance.

“COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out the top five CISO concerns,” surveyors said.