Data Security and Privacy Trends – Closing the COVID Gap – 2021 Perspectives

Data Security and Privacy Trends – Closing the COVID Gap – 2021 Perspectives

Dec 1, 2020 | Data & Cybersecurity, Privacy, Security

Data Security and Privacy Trends

This blogpost reviews Data Security and Privacy Trends as 2020 comes to an end.

When COVID-19 triggered the move to working from home, many organizations sharpened their focus on reducing latency. They hustled to get the basics in place — laptops, connectivity, etc. — to enable employees to access systems and data from their homes. Once that availability was in place, attention quickly turned to minimizing lag time associated with accessing the data.

As that work occurred throughout the first half of this year, Shared Assessments Vice President and CISO Tom Garrubba noticed that a more troubling form of latency had materialized: the lag time between practice and policy in newly remote workplaces.

“Look at almost any third party contract and you’ll see description of employees working in office buildings and other large facilities,” Garrubba says. “Now, most of the global workforce works from home. And few existing third party contracts address what should and should not occur when  vendors’ employees work from home.”

Garrubba counts closing that gap among the TPRM and data security and privacy trends he’ll be monitoring in 2021:

    • Restoring balance to the CIA: From the moment the pandemic drove workers home, nearly all organizations have maintained a laser-like focus on a single pillar (availability) of information security’s three-legged “CIA” stool. As a result, information security’s other two pillars, confidentiality and integrity, have received less attention than they warrant, especially given the unique nature of at-home data security and privacy risks. “There’s been a major emphasis on availability and understandably so,” Garrubba observes. “The focus has been on accessing the data I need now that I’m working from home. But this scramble bumped data security and privacy to the back burner, and that’s a problem.” Strengthening the focus on confidentiality and integrity requires, at a bare minimum, equipping remote employees with virtual private network (VPN) access and encrypted communications, says Garrubba, who also notes that outsourcers should ensure that their third parties, starting with critical vendors, are doing the same. “I know a lot of TPRM professionals, legal departments, IT groups and security teams are reaching out to critical vendors to ensure their employees are using a VPN, multi-factor authentication and a work-supported laptop, as opposed to a personal machine.” Garrubba expects bad actors to launch more data security attacks on organizations and their third parties by targeting less robust home networks (connected to corporate networks) in 2021.
    • Investing in GAPP: As more states adopt unique data privacy regulations, the compliance burden on outsourcers and third parties intensifies. “There’s a good reason why you have legal and privacy officers in the U.S. screaming for a federal GDPR equivalent,” Garrubba explains. “It’s extremely taxing to address a growing number of individual state privacy regulations. While most of these laws essentially have similar requirements, there are many nuanced differences among these rules that companies have to deal with.” The lack of a federal law and the rising number of state-level privacy rules, Garrubba notes, are driving more data privacy teams to embrace “privacy by design” — the baking of existing standards into policies and procedures before those processes are required by law or a regulatory mandate. In the continued absence of a U.S. GDPR, Garrubba expects more organizations to proactively integrate into their programs standards like Generally Accepted Privacy Principles (GAPP), a global framework developed jointly by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA).
    • Navigating next-generation data security and privacy talent challenges: This is the fourth year in a row that companies have endured a widening cybersecurity skills gap, one that negatively affects 70 percent of organizations. Two-thirds of data security professionals also indicate that bad actors maintain a major advantage over information security teams. Both of those figures come from the latest (2020) version of Enterprise Strategy Group (ESG) and the Information Systems Security Association’s (ISSA’s) ongoing survey of cybersecurity professionals. In a separate study, ESG and ISSA find that COVID-19 and the shift to remote working models have 1) forced information security teams to reshuffle their priorities and activities; and 2) elevated their stress levels as the volume of cyber-attacks has increased (since March). Data security talent is more difficult to find and more expensive than ever, Garrubba emphasizes. “The IT headhunters I know who are conducting security searches right now tell me they don’t know when they’re going to sleep,” he reports.
    • Elevating availability: As leading organizations seek to rebalance their three-legged data security and privacy stools, they’re also realizing the value of sustaining attention, and resources, on availability, given its role in enabling organizational resilience. Garrubba expects some companies to consider creating a C-level position, a chief availability officer, dedicated to enabling that resilience. “For many years business continuity and business resilience professionals operated in their own silos with less interaction that they ideally should have maintained, though not necessarily through any fault of their own,” Garrubba adds. “In many cases, other parts of the organization would reach out to those responsible for availability only when a new regulation required them to do so. Now that so many workforces are operating remotely, all of the interdependencies that enable an organization to maintain access to its systems and data in a cloud environment have become painfully clear.”

 

To alleviate that pain, more TPRM teams will be rebalancing how they manage confidentiality, integrity and availability in 2021 as normalcy slowly returns.

 

Tom Garrubba

Tom Garrubba, Vice President/CISO, Shared Assessments, is a subject matter expert, consultant, lecturer and author with 20 years of experience in IT risk, security, privacy, audit, and risk. Tom is a beloved instructor of the Certified Third Party Risk Professional (CTPRP) program. Tom is on the Forbes Technology Council and outside of work, Tom is involved with the Civil Air Patrol Squadron 603 and enjoys coaching (softball, baseball) and making music with his kids!

View all posts by Tom Garrubba


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics

This site uses cookies

Please note that on our website we use cookies necessary for the functioning of our website, cookies that optimize the performance.
To learn more about our cookies, how we use them and their benefits, please read our Cookie Policy and Privacy Policy.