The most significant and worrying finding, according to David Guyatt, CEO of Osirium, the sponsor of the independent research, is that over 70% of the organisations surveyed admitted that system administrators often make uncontrolled IT changes immediately prior to audits in order to meet compliance, after which they then let these changes lapse.
“If the auditors knew this was the case, they would surely fail the audit in the first place”, he says.
Guyatt argues that these findings suggest that organisations are willing to accept the risks associated with making such informal and uncontrolled changes, rather than dealing directly with the costs of repeating failed audits - which would also impact on resources and performance and analysis reports presented to senior management.
The report on the research – which took in responses from 100 ITsec professionals last month - also highlights that IT staff typically spend as much as 30% of their time preparing for, and delivering, audits, whilst less than 20% of the organisations polled fully automate the gathering of data for such audits.
Interestingly, Infosecurity notes, fewer than 10% of those questioned said that they automate the remediation of audit gaps.
Commenting on the results of the survey, Bob Tarzey, an analyst and director with Quocirca, said that, on average IT security staff spend about 30% on their time on the mundane task of preparing for audits.
“This new research shows that in many organisations it is senior IT staff that end up manually collecting much of the required data. If the task could be undertaken automatically they would be free to focus on more productive activities”, he noted.
“All of these issues have an underlying cause which revolves around the inability of organisations to automate compliance related activities and tasks,” he said.
“The technology is already available to automate these tasks, perform internal compliance audits and remediate gaps to ensure organisations remain compliant between audits. If they used Osirium they wouldn’t have to dedicate so much time preparing for audits and making all those informal and uncontrolled changes, which are deemed non-compliant practices anyway”, he added.