When we asked Santa Fe Group Vice President and CISO Tom Garrubba to gaze into his crystal ball last month, he identified several events related to Third Party Risk Management that he thinks may materialize this year, including:
- Privacy breaches (those caused by the mishandling of personal data) becoming more difficult for companies to manage — just as problematic, if not more so, as responding to information security breaches
- A surprising hack attempt of the November U.S. elections by a nation-state (hint: it won’t be Russia)
- A breach of a Department of Defense contractor’s information security, via one of its third parties, by a foreign entity
- A data breach in which a US intelligence officer releases confidential information to Wikileaks or a similar entity
- An increase in the number, and importance, of chief data officers — a role that may soon command as much C-suite authority as CIOs currently wield
“It’s going to get ugly this year,” Garrubba reports. He’s referring to a likely spike in politically motivated cyber-attacks during a contentious election year, as well as to their increasingly personal nature. On that count. Garrubba expects “doxing” attacks to increase. The term describes the theft and public exposure of personal data and information about a corporation or individual that criminals motivated by politics or social beliefs carry out to inflict reputational damage. Some of the most notable of the TPRM-related trends Garrubba is also monitoring this year include:
- CCPA enforcement: The California Consumer Privacy Act (CCPA) went live Jan. 1, and the state is set to begin enforcing the new law on June 1. “How it is enforced and the extent to which it is enforced consistently represents a real wild card this year,” Garrubba notes. “A lot of companies are still determining whether they’re appropriately addressing the law, and that’s causing big headaches.” Part of that stress stems from the legislation’s swift finalization — it was cobbled together from five different data privacy bills. Garrubba also notes that many manufacturing companies are working to comply with California’s other new data privacy law — which addresses data privacy requirements for Internet of Things (IoT) devices and technologies — that has largely flown under the radar. “The other thing to keep in mind,” Garrubba adds, “is that the CCPA really spurred other states to develop similar laws.” At least a dozen states have active data privacy regulations working their way through the legislative process.
- Small is beautiful — to cyber criminals: Garrubba expects last year’s cyber-attacks on smaller companies, utilities and public sector entities to continue. Smaller companies and municipalities tend to have fewer resources to invest in improving their information security and privacy capabilities. They also operate at a disadvantage when it comes to competing for and compensating full-time information security and data privacy professionals.
- Chief Data Officers command attention: More companies across all industries will consider the creation of the chief data officer role in their C-suites. These leaders provide data analytics to business unit heads so they can grow their businesses, but Garrubba would like to see them also take a role in having some say as to the handling of customer or personal data and how it should be protected. Given that data privacy expertise (deep knowledge of what companies and their vendors are permitted do with customer data) is distinct from information security expertise (protecting the data while ensuring its integrity, confidentiality and availability), a Chief Data Officer with such a background in privacy and security – along with their analytical abilities – will become an incredibly powerful asset to any organization.
- Public-private partnerships become more pivotal: Until recently, it was not unheard of for a company to keep the lid on a breach of its information security defenses, especially if the attack’s damage was limited. The unwanted publicity generated by acknowledging the breach, the thinking went, would outweigh any benefits of doing so. That mindset is quickly changing. Garrubba describes recent examples of companies reaching out to government agencies, regulators and industry peers to detail actual cybersecurity breaches and what aspects of their response proved effective. Those interactions and insights can help fortify cyber-attack defenses within more companies. “The value of that collaboration, Garrubba notes, “far outweighs keeping security lapses secret.”
Those collaborations also will help prevent data privacy and information security matters from getting too unpleasant in 2020.