Home  /  Empower and Protect  /  Easing the Friction between Security Operations and Compliance

Easing the Friction between Security Operations and Compliance

By A.J. Turcot •  March 6, 2020

Security operations teams aren’t usually looking for things to do to pass the time.  Their days are filled with critical security functions like managing intrusion detection systems, reviewing audit logs, and patching applications and operating systems – and that’s before lunch.  As you can imagine, amidst their heavy workload, they love taking the time to respond to auditors and compliance teams.

Ok, that last part is obviously not true.

They may not be happy about it, but the fact is, security teams are spending more and more time responding to audit requests. For that matter, it’s common for security teams to receive multiple inquiries for similar IT security functions or controls that occur on an annual, semi-annual or even a quarterly cadence.  That flurry of activity is only further exacerbated when multiple standards are required; the impact to the security team (and the compliance team) is dramatic.

What can you do to relieve audit fatigue?

But as painful as it might be, compliance with IT security and risk management standards is critical. The issue, then, is how to reduce the friction that exists between security and compliance teams.  A good first step is to acknowledge the strain these compliance requests have on the security team.  Audit fatigue is alive and well in many organizations.  But it doesn’t have to be that way.

Here are a few ways to reduce the compliance burden on your security team:

  • Preparation – Create a culture within your organization that is proactive, not reactive, towards security compliance.
  • Controls Mapping – Select one comprehensive risk framework as a base for all IT risk management compliance activities.
  • Control Inheritance and Recommended Controls Implementation – Take advantage of already-compliant systems to make new systems compliant.
  • Automation – Automate the mapping and evidence generation process will save considerable time and effort.

My colleague Steve Horvath and I went into a lot more detail in a recent webinar called: “Combatting Audit Fatigue in IT Risk Management.”   I invite you to watch the on-demand webinar, and share it with others on your team who may be struggling with compliance burnout and audit fatigue.

A.J. Turcot

A.J. Turcot

A.J. Turcot, CISSP is an enterprise account executive at Telos Corporation. See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

nineteen − 11 =