5 ways to combat security and privacy audit fatigue

Cybersecurity audit fatigue has become a very real issue for organizations that are required to comply with multiple government, industry, and internal requirements.

In recent years, concerns over data breaches and privacy violations have spawned a bewildering array of regulations—all with similar goals but subtle differences in scope and in what they require organizations to do and provide by way of compliance evidence. The requirements have left security teams duplicating efforts and almost constantly engaged in audits rather than on their core functions.

A survey conducted by Telos last year found that, on average, organizations are required to comply with 13 different security or privacy regulations, including PCI DSS, HIPAA, Sarbanes-Oxley, GLBA and FedRAMP. Telos found that organizations are spending some $3.5 million annually and on average have 22 dedicated employees working on security and privacy audits.

“Audit fatigue is becoming a significant headwind for many companies’ IT security organizations,” says Jim Huguelet, principal at auditing and consulting firm The Huguelet Group. “These organizations are increasingly structuring their activities around various audits and assessments that must be completed, rather than their real mission of proactively addressing areas of greatest risk.”

Frustration over audit requirements is becoming an increasingly common problem. Business units and subject matter experts are getting asked the same questions repeatedly and perceive a lack of communication on the audit side, says Sean Goodwin, manager IT assurance and security at public accounting and business consulting firm Wolf & Company. “One of the worst implications of audit fatigue is people seeing audit purely as an annoying task to get through, rather than an opportunity to add value,” he says.