By Scott Gordon, CISSP, Oomnitza
Technology oversight is a common mandate across IT and security frameworks and compliance specifications, but achieving that oversight is difficult. The rise of hybrid workplaces, shadow IT/DevOps, and cloud infrastructure dynamics continue to create cybersecurity risks. SecOps, Governance Risk and Compliance (GRC) and ITOps teams use wide variety of tools and operational data to mitigate security posture exposures and fortify business resiliency, yet audit readiness and compliance validation remain a challenge. According to a recent survey, 66% of organizations failed at least one audit over the last three years [1]. Another survey calculated that organizations spend $3.5M each year on compliance activities [2].
Why? First, technology and operational intelligence, across the myriad of users, endpoints, applications and infrastructure, is siloed and fragmented. Beyond event logging, where is no established way to aggregate, correlate, and analyze this data, which exists within different departments, divisions, and management tools. Second, the tasks required to ascertain control and policy compliance details, resolve violations and provide adherence proof are resource intensive and error prone. As audit frequency and range expand to meet multiple evolving specifications, how can organizations reduce issues, delays, and spend? Answering this question has placed CISOs on a path towards continuous audit readiness that’s accomplished by automating audit processes, from Scope to Evidence.
Clearly, smaller enterprises tend to be more cloud-first, but larger the company, the more distributed the environment — and the more siloed divisions and IT domains become. The pandemic accelerated cloud migration, propelled digital transformation initiatives, and surged hybrid workplace adoption. The net effect of these events has introduced well known audit readiness challenges, such as:
- Audit data is siloed and fragmented, preventing timely, efficient and accurate analysis
- Attestation-based compliance does note replace quantitative control assessment
- Identifying and resolving remote workforce policy deviation is difficult
- Cloud resource monitoring and policy enforcement is more fractured
- Less controlled use of cloud resources introducing new exposures
- Audit delay, re-audits and unplanned audit spend is increasing
GRC and security teams often have large, disparate technology datasets that are often incorrect or duplicative, hindering effective control analysis. Data discrepancies and deviation from pre-designated control frameworks are common. GRC team requests for audit support, investigations and corrective actions result in large, cross-department time and resource drains– often with incomplete or unsubstantiated outcomes. Overall, these audit challenges yield increased compliance gaps, prolonged audits, unplanned expenditures, and greater penalty and procedure refactoring costs. Beyond failing to meet audit specifications, there is the risk of attack and data leakage –upwards of 69% of cyberattacks started with an exploited mismanaged internet-facing assets [3].
One foundation for audit and compliance readiness is to identify and settle on a common security framework, and as a result, common control areas: asset intelligence, IT management, and protection mechanisms. Asset/Technology Intelligence incorporates endpoints, applications, and network and cloud infrastructure. IT Management (that includes Identity and Access Management) encompasses ownership, access, entitlements, configuration, and lifecycle management controls. Protection mechanisms incorporates a wide variety of cyber defenses such as malware, encryption, vulnerability management and firewall technologies.
To advance audit process automation, policies and their technical controls can be used to monitor, verify, report, resolve and refine adherence to specifications. For example, to satisfy PCI-DSS as well as other mandates, a policy for compliant virtual systems running in a payment processing zone would include operating a standard configuration that has system encryption and managed detection and response MDR) active, having an active and authorized owner, and resources consistently managed (access) a specified interval. A compliance workflow would create, monitor and respond to deviations related to these policy-based controls.
Technical control validation (beyond attestation), when used within a process automation platform, reduces audit and compliance complexity and lowers auditing expenditures. ITOps, security and GRC teams can map each set of policies based on user, ownership, location, and technology security / operational state conditions. This also facilitates working with business units to identify unique business requisites and contractual obligations. This approach does not hold water if the underlying audit data is still inaccurate, missing, or conflicting.
Data incongruity impacts evidence generation and threat resolution – and is the antithesis of progressing continuous audit readiness. Audit process automation, from Scope to Evidence, necessitates establishing a unified, integrated system of record for asset technology. Most enterprises have several sources that might conflict with each other or may not be regularly updated. This manifests in present-day auditing gaps – according to Cybersecurity Insiders research more than half of respondents confirmed that their organization have less than 75% asset intelligence coverage.
GRC, security and IT teams need actionable insight on what resources, from endpoints and applications to network and cloud infrastructure, are associated with which owners, managers and departments – and where are these resources located. Which endpoints have inactive or outmodes defenses and are vulnerable? What software applications are installed and what SaaS applications are being accessed and is such use unauthorized and licenses. Where are new instances of network and cloud workloads being spun up, who manages them, and are they correctly configured or exposed. It is this matrix of data that organizations use to apply a policy (guidelines to be met) that drive the processes (actions to be taken) and procedures (detailed steps that comprise the action) — these elements serve as the basis for automation.
A new class of Enterprise Technology Management (ETM) tools have emerged as an enabler for continuous audit readiness by providing the ability to automate key business processes for technology and IT management. These platforms deliver the necessary system of record and workflow flexibility to enable continuous audit readiness. ETM platforms apply multi-source data normalization and advanced correlation that better equip security and GRC staff to to analyze and interpret policy compliance information. They also provides low-code workflow editing and management, leveraging this unified and accurate technology intelligence, to streamline a wide variety of compliance verification and remediation tasks. This approach makes audit reporting preparation always available, incident management more proactive, audit completion more predictable (and less costly), and audit workflows more easily manageable – across an enterprise’s entire IT estate.
49% of organizations expressed room for improvement in their workflows due to periodic security and compliance issues [5] Given on-going operational dynamics, ever-increasing technology volume, and present-day shrinking budgets, now is the time to determine where and how to progress continuous audit readiness.
Scott Gordon (CISSP)
CMO at Oomnitza
1 ESG Research: 2021: State of Data Privacy and Compliance
2 Vanson Bourne/Telos: 2020 Survey, A Wake-Up Call: The Harsh Reality of Audit Fatigue
3 ESG Research: 2022 Security Hygiene and Posture Management
4 Cybersecurity Insiders: 2022 Attack Surface Management Maturity Report
5 You-Gov/Oomnitza: 2022 State of Audit Readiness Report
