On April 20, leading cybersecurity and compliance firm A-LIGN released the 2021 Compliance Benchmark Report, a first-of-its-kind cybersecurity benchmark survey that lets organizations compare seven aspects of their compliance programs to peers by industry, by revenue, and by employee size. The report analyzes survey results from over 200 cybersecurity, internal audit, and other professionals about their compliance programs over the past 12 months.
For retailers, the topic of cybersecurity compliance is virtually synonymous with the Payment Card Industry Data Security Standard (PCI DSS). This certification program, first introduced in 2004, was designed to combat credit card fraud and protect personal identifiable information (PII) associated with credit card transactions around the globe. Yet, as compliance programs have become more common across governments and industry alike, PCI is no longer the only game in town.
Retail organizations today are still primarily driven by PCI, but they also conduct pen tests and vulnerability assessments as part of the PCI timetable. ISO 27001 certifications and SOC 2 examinations (ranked the most important upcoming assessments by 39 percent and 47 percent of respondents, respectively) are required in some rare circumstances. And since almost every retailer has a website or e-commerce store, privacy regulations such as GDPR and CCPA almost certainly come into play (with more state laws on the way).
All these certification requirements present a real challenge to retailers — and while other industries may be subject to a different combination of frameworks, the 2021 Compliance Benchmark Report found that many companies are dealing with this same challenge of coordinating multiple audits.
In fact, 85 percent of respondents conduct more than one audit a year, with 60 percent of organizations over $5 million in revenue conducting four or more audits per year. Meanwhile, only 14 percent of organizations consolidate audits into a single annual event, which means they're running multiple disjointed, redundant audits year-round. This is a significant contributor to the primary challenges that organizations reported with the audit process, namely limited staff dedicated to compliance (44 percent) and tedious and manual evidence collection (27 percent).
So, what can retailers do about this? A-LIGN recommends consolidating audits — as well as auditors — to increase efficiency, reduce costs, and streamline processes. This can be achieved through a tool called a Master Audit Plan, which assesses the requirements of various certifications or reports, identifies overlapping requirements, and determines the company’s audit needs well in advance. Actions are coordinated on a time line built around the PCI DSS specification, which the entire cross-functional team can rally around.
Other key findings from the 2021 Compliance Benchmark Report include:
- Companies have experienced minimal disruptions to their compliance programs during the pandemic. Eighty-five percent of companies completed their audits as planned or with an extension, and 60 percent had no change to audit timing. Additionally, 71 percent continued with their audits and assessments remotely instead of in person.
- Compliance helps win new business. The survey found that although there were many different drivers of compliance projects, 64 percent have found a common benefit from conducting audits: winning new business.
- Audit automation isn't automatic yet. Only 25 percent of respondents stated that they're using a software solution to prepare for audits and assessments such as an automated security, compliance, or governance risk compliance (GRC) solution.
Overall, the 2021 Compliance Benchmark Report revealed that despite IT organizations leveraging the benefits of technology, consolidation and automation to adapt to the operational and security needs of their suddenly distributed workforce during the pandemic, those same techniques haven't yet reached their potential when it comes to the audit and compliance process. This is an enormous opportunity for retailers and other organizations around the world as we bounce back in 2021 and beyond.
Patrick Sullivan is the director of customer success at A-LIGN, a cybersecurity and compliance firm.
Related story: The Dos and Don’ts for SMB Cybersecurity in 2021
In his 12 years at Akamai, Patrick Sullivan has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from threats. In the course of helping to fend off attacks, he has gained visibility into attacks targeting many of the top Enterprises. With his ability to see Security issues as a critical component of a client’s business strategy, Sullivan often speaks at security events and with clients around the world. Prior to Akamai, Sullivan held various leadership positions at DISA, AT&T, Savvis, and Cable and Wireless.