Editor’s note: This piece was originally published on Security Boulevard on April 3, 2020.
The compliance space is constantly changing. Simply put, being compliant means obeying the rules. The complexity is high for organizations operating across multiple geographies with multiple sets of standards and regulations, leading to a market that is set to reach $64.62 billion by 2025.
In 2020, businesses will continue to grapple with evolving data security and data privacy challenges. While the IT risk landscape has become more complex, there are emerging tools that will level the playing field and make it easier for businesses of all sizes to keep up with their obligations. Here are three governance, risk management, and compliance (GRC) trends that will shape the agendas of CISOs, CIOs, and CTOs in 2020 and possibly beyond:
Compliance and risk management need technology to navigate across state lines
Data privacy has become one of the top risk areas in 2020. Considering how many states have chosen to pass their own state-level data privacy bills in 2018 and 2019, it’s clear that many state legislators don’t have much faith that the federal government is able to get a federal privacy act passed. Thus, businesses must adapt to a patchwork of frameworks across state lines, which is a tough mandate to fulfill when they rely primarily on people and manual processes. Currently, many corporate leaders are still hesitant to use technology such as robotic process automation (RPA), AI and machine learning (ML) to streamline and automate internal processes. But for organizations to keep up with regulatory change and achieve compliance efficiently and reliably, business and compliance leaders need to begin to embrace this new technology.
Additionally, cybersecurity concerns continue to keep IT security, compliance professionals, and C-suite executives up at night. According to a 2019 survey conducted by Marsh and Microsoft, in the past two years, cyber risks have become even more firmly entrenched as an organizational priority.
Technologies such as AI and ML hold much promise and can potentially have a profound impact on organizations’ ability to identify, analyze and address data security and data privacy risk and meet their legal obligations. According to Crunchbase, in 2019, more than $10 billion was poured into privacy and security companies. Many of these investments are in companies that provide technological assets for managing privacy and security.
In 2020 and beyond, businesses are likely to use technology to keep up with the many moving pieces—such as evolving cyber risks and data privacy requirements.
The demand for IT security, privacy, and compliance talent is rising
According to a 2018 Cyber Data Security Risk Survey from Marsh & McLennan, just 18% of small businesses said they had developed a cyber incident response plan.
Businesses today are still struggling to respond to common cyber threats, and an inability to hire the right talent can make things much worse.
There’s currently a war for talent in the cybersecurity profession. In fact, there are approximately 2.93 million cybersecurity positions open and unfilled around the world, according to the non-profit IT security organization ISC.
The skillset businesses need from their security and compliance leaders are evolving, making it more difficult to make the right hires. For example, an effective chief information security officer (CISO) today needs skills in three distinct areas:
- Risk and compliance management
- Technical IT expertise
- Communication and leadership skills
CISOs must be well-versed in IT risk assessment methodologies, proficient in multiple IT applications, skilled at acquiring new technology, and possess effective communication and leadership skills. This blend of skills is difficult to find.
In 2020, a strategy that only stresses hiring to meet evolving cyber risk and data privacy challenges isn’t enough to mitigate risks, protect the organization, and maintain a competitive edge. CISOs’ strategies must include assessing and adopting new technologies to automate incident response and compliance management.
Continuous compliance is the new norm
Until now, many organizations have treated compliance as a check-the-box exercise. In 2020, organizations will begin viewing compliance as an essential function of business continuity. Technology and business leaders have seen enough examples to know that missing red flags from cyber intruders can carry large repercussions and cost them their jobs.
For instance, in 2018, Voya Financial (VFA) was forced to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised the personal information of thousands of customers. According to the SEC, VFA’s failure to terminate the intruder’s access stemmed from weaknesses in its cybersecurity procedures. Had VFA implemented the necessary procedures and compliance processes, the institution would have immediately flagged two contractors trying to reset their passwords and identified the fraudulent behavior. While missing red flags from cyber intruders once seemed like a small mistake, as evidenced by VFA and so many others, the repercussions are immense.
What occurred at VFA can occur at any organization that does not consistently test or enforce its security procedures. To keep your organization safe at all times, you’ll need to continuously monitor the efficacy of your security policies and procedures, and test them on a regular basis.
Compliance with regulations and customer requirements will continue to become increasingly difficult to manage for organizations. In fact, I believe that over the next four to five years, we will see around half a million audits that don’t currently exist, and in the next decade, it’s likely we will see a steady stream of significant new lawsuits around access to data.
With this in mind, this year and beyond, continuous review and assessment of an organization’s compliance program need to become the industry standard if a business is to navigate the risky and sometimes obscure data security and privacy landscape.