Guide

The Three Mega Trends CISOs Need to Watch

Why Paying Attention to Data Privacy Is Critical

Download the PDF
The Three Mega Trends CISOs Need to Watch Hero

Introduction

CISOs today face unprecedented opportunities and challenges

Businesses are acquiring new applications and generating new business data at a faster pace than their security teams can keep up. There isn’t a day that goes by without another news headline about the latest data breach. Meanwhile, the rise of data privacy regulations in the U.S. will have a far-reaching impact on the ways in which businesses operate their systems, handle data, and work with customers, vendors, and suppliers. The risk landscape is changing quickly, but the full impact of these changes is not yet obvious.

In the next several years, every organization will grapple with challenges created by the new risk landscape. Navigating it successfully will require organizations to take on new approaches to keep their critical business systems secure and their customers’ information private. At the same time, we expect businesses to take a closer look at the security risks posed by their supply chain and apply more stringent criteria to evaluate potential vendors before bringing new applications into their firms.

We believe that these trends are here to stay, and they will have a disruptive impact on how organizations approach security, meet their legal obligations, build trusted relationships with one another, and grow revenue.

In this brief, we’ll dive into three related mega-trends, the new challenges they bring to CISOs, their team, the entire organization, and why it’s important to prepare now. We’ll also address how organizations can meet these rising challenges with new approaches and tools.

Mega trend 01
Cybersecurity risk is on the rise due to multiple factors

Decorative - People in business environment working on computer

For many years, cybersecurity risk has been an area of concern for organizations that process sensitive or personal data (e.g., financial services companies, data processors for healthcare organizations, credit card processing applications). However, cyber risk is on the rise for organizations of all types, due to several factors. The Verizon “Data Breach Investigations Report” revealed that 61% of data breach victims were companies with less than 1000 employees. At this moment, organizations should be asking themselves: Are we worried enough?

Increased connectivity between organizations elevates the risk of third-party breaches

The ways in which we work with one another has changed dramatically within the last ten years. Instead of developing custom software internally, most of us today rely on a variety of off-the-shelf third-party applications to run our business. Instead of maintaining our own servers, we rely on cloud infrastructure providers to host our services. Instead of mandating our employees do all of their work from our physical offices on company-issued equipment, our employees and contractors often work from their homes and access corporate systems and resources on their personal devices. All of these workforce changes bring organizations increased flexibility and scalability, but also elevate the risk of valuable data assets being compromised.

At this time, nearly all organizations are dependent at some level on external entities. A 2019 Deloitte poll revealed 70 percent of respondents indicated a moderate to high level of dependency on external entities that might include third, fourth or fifth parties. And nearly half (47 percent) of respondents said their organization has experienced some sort of risk incident involving the use of external entities in the last three years.

According to a Ponemon Institute study, data breaches exposed 4.1 billion records in the first half of 2019, and third-party breaches accounted for over half of all data breaches in the US. Each data breach cost an average of $7.5 million to remediate.

The hot job market for cybersecurity talent

At its core, maintaining security and an effective compliance program overall is about making sure that everyone in the organization knows what job they need to do and when it should be done. Organizations implement processes to ensure that these jobs are done with as much of the work automated as possible. In the compliance industry, we call these processes “controls”. Defining controls is a good starting point for every organization. However, no matter how well designed a control is, it will fail if the control owner fails to implement the control or doesn’t implement it when they are supposed to.

What’s tough today is that professionals who are responsible for implementing security controls (IT security specialists, information security analysts, network security engineers, application security engineers) are in high demand and can switch jobs quite often.

The job market for security professionals and many other types of tech talent is getting hotter by the day. It is estimated that the number of unfilled cybersecurity positions will grow to a staggering 3.5 million by 2021. According to job posting data, the gap between the cybersecurity workforce supply and demand has reached a national average ratio of just over two job postings for every one available cybersecurity professional.

When someone responsible for a security control leaves and no one takes over, your entire organization is left in a vulnerable position.

Your pace of innovation and growth can be a risk factor

As an organization buys new applications, updates the org structure, or changes internal processes, existing controls may become irrelevant or insufficient. If the evolution of your controls cannot keep up with the pace of innovation, your organization will be at greater risk.

The good news is that many organizations are already taking this risk seriously. In Hyperproof’s 2020 IT Compliance Benchmark survey, we found that 62% of all surveyed organizations plan to increase their budget to mitigate IT compliance risks this year, and the top driver for increased spending is their realization that business expansion inevitably creates new risks that need to be addressed.

The rise of geopolitical conflicts: U.S. companies at risk of becoming collateral damage

Those of us in the United States should brace for the possibility that there may be an increase in cyberattack attempts from state-sponsored actors in political conflicts with our government (e.g. Iran, China). “Attacks from state-sponsored sources have significantly increased over the past few years for businesses,” said Jordan Mauriello, vice president of managed security at cybersecurity firm Criticalstart, in an email to CNBC in January after a U.S. airstrike killed Qasem Soleimani, a top Iranian military official.

In fact, U.S. companies have often been the targets of cyber terrorism. In the past few years, Iranian hackers carried out a series of attacks on the largest U.S. financial institutions including Bank of America and Citigroup. Las Vegas Sands Corp. was attacked in 2014 over owner Sheldon Adelson’s support for Israel and calls for attacks on Iran.

The emerging challenge: remembering everything you need to do

At this time, businesses must incorporate these new factors into their risk assessments and their cybersecurity roadmap. For instance, having a plan to assess and monitor the ongoing risks posed by your supply chain is crucial. However, having a great strategy by itself will not be enough.

In this new world, organizations will have a lot more tactical work to do across all phases of a compliance program. The truth is that organizations are comprised of many busy people, each with some responsibility for security, and each susceptible to forgetting to do some of the things they need to do. How can all those individuals remember everything they need to do and do everything on time?

And it isn’t cyber risks alone that will increase the compliance burden. Data privacy regulations are posing a whole new set of challenges.

Mega trend 02
Newer data privacy laws mandate certain security controls and new vendor management obligations

Business people working

At this time, approximately 41 U.S. states have laws mandating data breach notification, which is among the central focuses of modern data privacy regulation. However, multiple states have rolled out new and improved data privacy laws in 2018 and 2019. These new privacy programs tend to mirror Europe’s hallmark compliance legislation, the General Data Protection Regulation (GDPR).

The GDPR has been notoriously challenging for organizations to implement and most were not able to meet its stringent requirements by the legally effective date. This failure to comply has resulted in a number of enforcement actions against companies operating in Europe.

Below is a quick summary of some major data privacy laws in the U.S.

CCPA

  • Gives consumer rights to know about how their data is being used, a right to access it, a right to opt-out of having their data sold to third parties, and the right to request that their personal information be deleted
  • Businesses have to inform consumers about categories of information that will be collected and the purpose for which it’s being collected — at or before the point the information is taken.
  • Requires formalized data protection and disposal techniques and tools
  • Businesses must provide consumer notification within 30 days of breach detection.
  • Civil financial penalties of up to $7500 can be imposed for each instance of non-compliance.
  • Individuals have the right to bring private right of action against a company when their personal information is breached. Consumers don’t have to prove that they incurred actual financial loss from the data loss, only that the company violated the law.

Even though CCPA only took effect on January 1 2020, it is already being cited in data breach lawsuits (Barnes v. Hanna Andersson, LLC, N.D. Cal., No. 20-cv-00812). Barnes, the plaintiff and a California resident, brought her class action complaint to the U.S. District Court after Hanna Andersson announced on Jan. 15 that hackers had scraped customer names, payment card numbers, and other personal information. The complaint alleges that the hacked data, which was found for sale on the dark web, was hosted by Salesforce on its e-commerce platform. It also alleges that the e-commerce platform was infected with malware, which is what led to the data breach.

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act

  • Amended New York’s data breach notifications and cybersecurity laws
  • Added new data security protections to the General Business Law — these are far-reaching, prescriptive standards. The law requires covered businesses to implement certain administrative, technical, and physical safeguards; for instance businesses must “regularly conduct tests and monitor the effectiveness of key controls, systems and procedures.”
  • Pushes organizations to develop and implement a written Data Security Plan that complies with the SHIELD Act
  • Pushes organizations to integrate their ongoing compliance with New York data breach laws into their overall compliance efforts
  • Toughens the potential civil penalties for breach notification law violations, increasing them to up to twenty dollars per instance of failed notification (capped at $250,000), and imposes new civil penalties (up to $5,000 per violation, with no cap) for certain failures to comply with the new data security standards

Washington State Data Privacy Act (introduced January, 2020)

  • Gives consumers the right to know if a controller is processing their personal data and to access that personal data
  • Gives consumers the rights to correct their personal data; delete it; obtain their personal data in a portable format; and to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer
  • Data controllers (those who determine how data will be used) are required to put in administrative. technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.
  • Data controllers and data processors must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.
  • Processing sensitive data without a consumer’s consent is forbidden
  • Covered businesses must conduct data protection assessments for all processing activities involving personal data.
  • For companies that don’t comply with the law, the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation.

In addition to the state-level legislations, Congress is actively exploring what a federal privacy bill would look like, and multiple legislators have bills in process.

While these laws have some differences, what they all have in common is a focus on data security. They all require businesses to have reasonable security controls to protect sensitive data from unauthorized access. These laws recognize that organizations cannot keep user information private unless they also have disciplined cybersecurity management practices to keep data secure. They push organizations to strengthen their security measures and better manage the IT risks posed by their supply chain. These laws also use large fines and penalties to incentivize this behavior change.

While surveys have shown that organizations’ leaders are already highly concerned about cybersecurity risk, we believe the rise of data privacy laws will push security concerns even higher on organizations’ agenda. To successfully comply with these data privacy laws, organizations will need to do a better job of protecting their critical data assets and ensure their data processing vendors also have sufficient safeguards in place.

Faced with the prospect of paying significant fines and penalties, organizations will soon be forced to quickly mature their third-party risk management practices. They will start to do more to examine the security posture of their supply chain and take measures to mitigate the risk of third-party data breaches.

Mega trend 03
Organizations will make changes in the way they build trusted relationships with one another

As organizational reliance on third parties increases, extended enterprise risk management will become a greater focus going forward. While the use of SOC 2 reports and ISO 27001 reports as verification mechanisms are already common for large enterprises, we believe that this trend will move down-market and become more pervasive in the next several years.

According to the Ponemon Institute’s recent third-party cyber risk management survey, enterprises only take action on eight percent of all the vendor assessments they receive. Going forward, we expect organizations to conduct a greater number of vendor risk assessments and review those results more carefully and frequently.

Additionally, the firms with sufficient resources may develop their own auditing procedures to evaluate the security and data privacy practices of their vendors. You may already be familiar with Microsoft’s Supplier Privacy & Assurance Standards that instructs their suppliers on data privacy and protection and ensures suppliers’ compliance with those requirements. Going forward, we anticipate more organizations will follow in Microsoft’s footsteps with their own formalized security and data privacy standards for suppliers.

Key challenges

Today, most organizations use manual processes to verify the security and privacy postures of their vendors, and the vendor information they do review aren’t necessarily all that telling. Over 54% of respondents to the Ponemon survey said the results of vendor risk assessments provide, at best, only somewhat valuable information.

Often times, a risk assessment is sent out to a new vendor prior to signing a contract, but no one checks up on the vendor in the next few years, because people get busy, forget, or move on from the organization. Yet, as the need to verify counterparties goes up, organizations will need to find better ways to remind themselves to do the things they intend to do.

Meanwhile, every organization is a counterparty to someone else. Organizations will need to figure out how to effectively demonstrate their commitment to data privacy and security to their customers and partners, and do it at scale.

How does compliance operations software help organizations address these challenges?

Hyperproof can help organizations navigate this multifaceted challenge of making sure your whole organization is aware of what’s changing and is able to keep up and move in sync.

Hyperproof is an extension of your team. Our application not only serves as a system of record for all of your compliance data (compliance requirements, controls, and evidence), it also helps your compliance program managers clearly communicate the roles and responsibilities of everyone who needs to be involved in the program and keep everyone on track and honest.

Hyperproof helps a compliance program manager keep track of and communicate the following to their team:

  • For every compliance standard (e.g., GDPR or SOC 2), who needs to implement each control and when does it need to happen?
  • Who needs to keep a control up to date when a process changes or when a new system is introduced into the environment? When does it need to happen?
  • Who needs to submit evidence that a control (internal or vendor) is working? When does it need to happen?
Decorative - Group of people working together in office environment

The application uses logic and automation to remind people about the work they need to do and when it needs to be done so no one drops the ball on an important task. Ultimately, this helps the organization avoid control failures that result in compliance failures, data breaches, business interruptions, reputational damage, expensive lawsuits, and revenue loss.

“Hyperproof will also allow us to manage evidence files and controls across multiple programs, linking to multiple requirements, and all the time providing us real-time visibility into our readiness through the use of dashboards, freshness metrics, and potential gaps that will feed into our team’s operational workflow,” says Aaron Poulsen, Director of Product Security and Compliance at DigiCert.

“We’ll know, and be alerted to, how soon something needs to be reviewed and refreshed. When you’re managing a multitude of programs, frameworks, and standards, having a holistic view of where you stand is no longer an optional output of the compliance function, it’s an expectation. Hyperproof is helping us meet that expectation.”

Related Resources

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act

Guide to The Stop Hacks and Improve Electronic Data Security (SHIELD) Act

Breakdown of what your current compliance operations are costing you

The Washington State Privacy Act Could Be More Comprehensive Than the CCPA

A magnifying glass over a screen signifying examining for cybersecurity risk management

Cybersecurity Risk Management: Frameworks, Plans, & Best Practices

Download the PDF

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader