Audits Need to Be Revamped!
We have a fairly small company when you compare us to the business world but our Security budget that includes Audits, continuous review, security software, firewalls, etc is aout 2/3 of our development budget.. If you ask me this is becoming absurd. There are too many audits that overlap requirements. There are repetitive tasks, unnecessary tasks. For example, why does the security budget need to include evaluation of your employees’ personal professional reviews? Why does the audit need to include proof of your board meeting minutes? Seriously, shouldn’t these items be considered highly secretive, be kept securely under EYES ONLY? I don’t think the auditors should claim they have the right to review an employee’s personnel file or board meeting minutes that might show financial or other very private information.
It seems to me that the PCI, GDPR, HIPPA data rules overlap 90%.
Don’t’ share the data, mask the data, be careful of leaving paperwork, credit cards, etc. out in the open. You could create one training process and make it simpler for companies and for employees to take the training and update that training every year. Common sense at some point needs to be applied to business rules and regulations.
With the costs being so prohibitive we are seeing businesses giving up on being compliant, the hill seems to be too high, to expensive and very stressful. Also, the audits don’t seem to be stopping the breaches. Most breaches are caused by humans failing to follow the rules of the audit either purposefully or accidentally. Phishing is the number one hack. Phishing can be undermined by training, but the hackers that send out the emails, texts and phone calls are getting very good at their craft. During hurricane Milton I see an increase in phishing to our accounts. So they know when we are most vulnerable. Catching people off-guard, during stressful times, off hours, etc.
I think audits are needed but shouldn’t it concern itself with data security? For example they should ask where do you store your employees personal data and is it secure and access limited. Not show us examples of your employee’s personal data. I think if audits were more stealthy and precise it would be easier to be compliant and not burn up time and effort that is not needed.
My two cents.