Mitigating Compliance Team Turnover Costs

We are approaching the end of the year, a time when many people will start thinking about the changes they want to make in their professional and personal lives in the coming year.

Life in a global pandemic has made life difficult for all of us – for some more than others. According to the Bureau of Labor Statistics, the U.S. unemployment rate in September was 7.9%. This represents about 12.6 million people. Many of those who are still working have to work longer, take on new responsibilities and do more with fewer resources.

Information security experts, compliance specialists and audit managers were faced with challenges they had never encountered in their careers.

In March 2020, millions of employees were sent to work from home by employers who had no plans to maintain cyber security in a radically different working environment. The security and confidentiality controls put in place for the physical offices have suddenly become irrelevant.

CISO, IT security and compliance experts were interviewed on these issues:

How do we identify all new assets connected to our network and business data? What is the right combination of policies and training to ensure that employees think carefully about safety versus security controls that block new devices? Do we know that those responsible for the security of key systems are still in the company?

By 2020, security and compliance professionals were faced with a large number of external threats, new internal uncertainties that needed to be managed and, in many cases, fewer resources for their work.

Meanwhile, the basic tasks that have always been carried out by compliance specialists do not disappear. They still need to undergo routine checks and recertification of Infosec systems such as ISO 27001, PCI DSS, SOC 2 and others.

It would be an understatement to say that the compliance and information security specialists have had a busy year. Meanwhile, those who are dissatisfied with their work have more opportunities than ever to look for greener pastures.

Studies show that mass remote working in the United States stops even after the withdrawal of KOVID-19. According to Gartner, two-fifths of employees are likely to work outside the office for some time after the pandemic, compared to 30 percent for the virus. If employees work remotely, the risk of their dismissal is greater. Many organisations have come to realise the benefits of teleworking and have therefore expanded their search for candidates throughout the country.

The best talents in remote working functions have more opportunities than ever to jump off a ship.

In this context, it is important that CISO and business leaders are prepared for the fact that their staff of cyber security and compliance experts will become even more depleted in the near future. While there are many things leaders can do to try and keep their best employees, turnover is not always avoidable.

Are you ready for this scenario as a CISO, audit manager or business manager? Do you have a plan to reduce the risk of losing valuable institutional knowledge about compliance issues when key members of your compliance team leave the institution?

Decrease in cost of sales

Say a key member of your compliance team has left the company. The team has been responsible for the company’s ISO 27001, SOC 2 and PCI recertification processes for the past three years. You have now hired a new team member to oversee and lead the ISO 27001 recertification process. The audit will take place two months after today.

How could you get a new man on board so that he can be re-certified according to ISO 27001 without any hiccups? Is the task easy or difficult? The answer, of course, depends on the quality of the registration and control of your compliance and audit activities.

To get aboard this new man, you have to find answers to questions like… :

  • Where are the ISO 27001 activity data from previous years kept?
  • What is the purpose of these files?
    • Did your former ISO 27001 compliance manager monitor and maintain the corresponding controls in one place?
    • What control mechanisms are there and are used to meet the individual requirements of ISO 27001?
    • Which controls are still relevant and work as intended?
  • Who is responsible for each check?
  • What is the importance of any control? Are there guidelines on the frequency of review or reconsideration of controls?
  • What is the evidence or clues related to each test? In other words, is there information that would help the new employee understand what evidence would satisfy the auditor?
  • Which documents did the auditor ask for last time? And what documents were made available?
  • What measures did the team take in response to the audit opinion? Did they cause problems or things that need to be solved?
  • Have any steps been taken to address this? If so, were the results satisfactory?

If your organization had to fulfill its mission to meet information security requirements through an impromptu system – with spreadsheets, file storage, email and project management – it would be extremely difficult and time consuming to get the answers a new employee needs to do his or her job.

Unfortunately, many organizations today find themselves in this situation. Every time a compliance specialist leaves the organization, much of an individual’s institutional knowledge disappears. The rest of the team has to spend a lot of time putting all the pieces together and trying to complete the puzzle without seeing the complete picture on the puzzle box.

Using the operating platform for institutional knowledge maintenance

On the other hand, if an organisation works with a central work platform – a platform that houses all the interoperability frameworks that the organisation adheres to, manages all the work involved (e.g. owner control tasks, test plans, ongoing audits, evidence collection tasks) and places all the organisation’s evidence – it becomes much easier for a new employee to work at full capacity.

Hyper-security is a platform for compliance operations that helps compliance teams carry out their daily work effectively and serves as corporate memory. With Hyperproof, you can reduce the cost of sales and the loss of valuable knowledge and make your employees work much more productively. These are the main features of Hyperproof that enable a smooth transition after a personnel change:

  1. Hypersecurity is the central repository for your IT security compliance. It brings together all the compliance frameworks your organization needs to comply with.
  2. The platform enables managers to track all the activities of their teams, including comparing control with compliance requirements and assigning control ownership to individuals or teams within the business units.
  3. Every check is followed up in detail: Who checks the control, whether it is complete, whether it has been verified and whether it is effective or not.
  4. The hypersecurity serves as a repository for all your evidence, so that you can always see what evidence has been submitted to the auditor in previous audits in response to a specific request.
  5. All data on the collection of evidence is monitored from different angles: The evidence may be stored in files, or may relate to an audit or to a specific item on the auditor’s list of requirements for documents.
  6. Everything that happens in Hyperproof is tracked, so you know who did what, when it was done and exactly what was done.

Main results

Compliance and information security professionals have always had the difficult task, but 2020 was a particularly challenging year for those working in this sector. Currently, there is a global shortage of people with cyber security and compliance skills, and there is still much demand for their expertise. If you’re working remotely to stay here and recruiters extend their search for candidates to other locations, the best talent will inevitably be tempted to look around. It is assumed that the loss of an employee can cost 1.5 to 2 times his or her annual salary. For older workers, the financial burden increases.

Qualified managers must keep a close eye on their team members, regularly register with each individual to look for signs of potential leakage and, most importantly, set up a compliance monitoring system to keep institutional knowledge up to date when key people leave their organisation.

To see how Hyperproof can help your organization maintain a consistent compliance program at minimal cost, subscribe to a personalized demo.

The costs of sending the mitigation team were the first to appear in Hyperproof.

*** This is a syndicated network of Hyperproof network security bloggers written by Jingcong Zhao. The original message can be found at

Related Tags: