Getty Images
How CISOs can manage and reduce compliance fatigue
Compliance fatigue can undermine security when poorly managed. CISOs can combat it by starting conversations, automating processes and using compliance to drive security initiatives.
"Compliance doesn't equal security."
You've heard it a million times. Perhaps you've even said it yourself.
While true, this is deeply limiting. Compliance doesn't guarantee security, but compliance fatigue can actively undermine it. Conversely, managed correctly, compliance can be a powerful enabler of security.
As a CISO, you can't afford to dismiss compliance -- or ignore the fatigue it generates. That isn't because compliance and security are equivalent -- far from it -- but because compliance is a catalyst. The way you approach compliance directly affects the risk optimization equation. It either compounds risk or helps reduce it.
What is compliance fatigue?
In a nutshell, compliance fatigue occurs when staff members are numbed by a deluge of continuous and overlapping compliance demands.
It's not the same as when team members feel overloaded by an audit or when they feel like there are too many checklists to respond to. Instead, this reflects how staff view the usefulness of compliance. Each new compliance activity is less valuable, becomes more of a distraction, makes other priorities harder, leaves staff less motivated -- and, therefore, less effective -- or otherwise creates drag on your program.
Consider a security program assessment. The first time it's performed, it's super valuable. It's exciting, helpful and effective. CISOs and their teams learn where the program can be improved, controls can be bolstered and unaccounted-for risks can be addressed. But what about the 10th assessment? What happens when five occur at the same time? It begins to feel like wasted effort even when the probes cover new ground. As a result, the effort-reward curve flattens, staff become disengaged or just phone it in, perceived payoffs fall off a cliff and conclusions that would otherwise be valuable feel like just more responsibilities.
What causes compliance fatigue?
It's not surprising why compliance fatigue occurs. Three main sources are overlapping regulation controls, cultural factors and company resources.
Overlapping regulation controls
Regulatory standards and frameworks overlap. It's not just because there are more of them, though this is also true, but also because they cover similar -- in some cases, identical -- ground. This is true of the controls they mandate, as well as the validation of adherence.
Consider PCI DSS, HIPAA, SOC 2 and ISO/IEC 27001. Many of the controls required by each overlap, as do program-level and structural requirements. Yet, responding to each framework's assessments or audits requires distinct evidence collection, reporting, project coordination and planning. It's logical that an organization -- particularly a large one -- has all these in its scope, which, in turn, means it's likely work will happen in parallel.
Cultural factors
First, there's the structure of the team itself -- for example, when organizations choose to optimize audit response rather than examine meaningful risk reduction, program performance and long-term outcomes.
There can also be confusion about why compliance structures are in place, why individual controls matter and why responses need to adhere to a certain format or cadence.
Not only does staff morale suffer as a consequence, but staff are likely to be less engaged in the process. This, in turn, leads to companies deemphasizing tasks that directly support compliance, such as procuring evidence and meeting service-level agreements (SLAs).
Company resources
Company resources also play a factor in compliance fatigue. There's the stress of not having enough hands to accomplish the work. Plus, many compliance activities aren't optional; as a result, resources might be directed away from other tasks.
It's not just personnel: Tool ecosystems can create drag, too. Multiple internal teams, auditors and customers often use different tools to accomplish the same goal -- say, submitting evidence. A sort of tool sprawl emerges, where different spreadsheets; governance, risk and compliance platforms; and ticketing systems are in play simultaneously. The result: duplicative effort, confusion, inefficiencies and wasted time.
How to overcome compliance fatigue
There are tools and strategies to overcome compliance fatigue. Consider the following steps and action items.
Identify when fatigue occurs
CISOs must recognize when compliance fatigue begins. This is the first and most important element. To do that, remain alert for the following fatigue symptoms:
- Failure or delay in evidence collection.
- Backlog of audit-sensitive tasks, such as policy updates, user access reviews, etc.
- Consistently missed operational SLAs.
- Staff resentment or apathy.
Encourage conversations
Want to know if your employees are fatigued? Ask. It's a strategy that's particularly effective -- and surprisingly underused. Asking directly signals psychological safety and gives staff permission to speak candidly about areas of cultural, operational or structural friction.
CISOs can do this informally -- for example , as part of a town hall or off-site -- or formally, such as by incorporating relevant questions in employee engagement surveys or annual performance review processes.
Automate processes when possible
Automation kills multiple birds with one stone. Treat compliance like a process rather than a one-off event. Integrate control monitoring into ongoing operations. Build a plan to automate any high-effort, low-value task, particularly evidence collection, such as policy attestations, configuration validation and cloud control snapshots.
Adopting automation creates useful efficiencies even as it decreases demands on individual staff members' time. Consider where teams can use or adapt existing processes and workflows, such as continuous integration/continuous delivery and DevSecOps toolchains, to produce required evidence in a format directly supplied to auditors and assessors.
Improve efficiency
Seek efficiency gains where possible. Map controls across frameworks, and coordinate efforts to address multiple areas at once. This permits a more efficient way to organize remediation and mitigation activities, and it also can help support consolidation of evidence collection -- for example, by servicing multiple audits with the same evidence.
Convey the importance of compliance
Communicating why compliance is important is valuable. As CISO, conduct compliance training to frame compliance activities in terms of business risk -- especially to engineers and operational staff. This tactic helps employees recognize the value associated with compliance and boosts their sense of ownership. Communicate key deadlines clearly, and solicit feedback on a cadence. Build in recovery time, where possible, after high-impact audits or high-effort remediation activities. This gives staff time to recover, review successes and failures, and reflect on how to improve next time.
Use compliance to drive security initiatives
CISOs understand that compliance is a tool that can advance risk reduction and operational goals. Executive teams and boards justifiably view compliance as extremely important. Being honest and direct about challenges here can help secure funding and executive buy-in for security efforts. Compliance turns from a drain into a driver -- unlocking budget, focus and leadership support.
Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.
