This blogpost reviews Data Security and Privacy Trends as 2020 comes to an end.
When COVID-19 triggered the move to working from home, many organizations sharpened their focus on reducing latency. They hustled to get the basics in place — laptops, connectivity, etc. — to enable employees to access systems and data from their homes. Once that availability was in place, attention quickly turned to minimizing lag time associated with accessing the data.
As that work occurred throughout the first half of this year, Shared Assessments Vice President and CISO Tom Garrubba noticed that a more troubling form of latency had materialized: the lag time between practice and policy in newly remote workplaces.
“Look at almost any third party contract and you’ll see description of employees working in office buildings and other large facilities,” Garrubba says. “Now, most of the global workforce works from home. And few existing third party contracts address what should and should not occur when vendors’ employees work from home.”
Garrubba counts closing that gap among the TPRM and data security and privacy trends he’ll be monitoring in 2021:
- Restoring balance to the CIA: From the moment the pandemic drove workers home, nearly all organizations have maintained a laser-like focus on a single pillar (availability) of information security’s three-legged “CIA” stool. As a result, information security’s other two pillars, confidentiality and integrity, have received less attention than they warrant, especially given the unique nature of at-home data security and privacy risks. “There’s been a major emphasis on availability and understandably so,” Garrubba observes. “The focus has been on accessing the data I need now that I’m working from home. But this scramble bumped data security and privacy to the back burner, and that’s a problem.” Strengthening the focus on confidentiality and integrity requires, at a bare minimum, equipping remote employees with virtual private network (VPN) access and encrypted communications, says Garrubba, who also notes that outsourcers should ensure that their third parties, starting with critical vendors, are doing the same. “I know a lot of TPRM professionals, legal departments, IT groups and security teams are reaching out to critical vendors to ensure their employees are using a VPN, multi-factor authentication and a work-supported laptop, as opposed to a personal machine.” Garrubba expects bad actors to launch more data security attacks on organizations and their third parties by targeting less robust home networks (connected to corporate networks) in 2021.
- Investing in GAPP: As more states adopt unique data privacy regulations, the compliance burden on outsourcers and third parties intensifies. “There’s a good reason why you have legal and privacy officers in the U.S. screaming for a federal GDPR equivalent,” Garrubba explains. “It’s extremely taxing to address a growing number of individual state privacy regulations. While most of these laws essentially have similar requirements, there are many nuanced differences among these rules that companies have to deal with.” The lack of a federal law and the rising number of state-level privacy rules, Garrubba notes, are driving more data privacy teams to embrace “privacy by design” — the baking of existing standards into policies and procedures before those processes are required by law or a regulatory mandate. In the continued absence of a U.S. GDPR, Garrubba expects more organizations to proactively integrate into their programs standards like Generally Accepted Privacy Principles (GAPP), a global framework developed jointly by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA).
- Navigating next-generation data security and privacy talent challenges: This is the fourth year in a row that companies have endured a widening cybersecurity skills gap, one that negatively affects 70 percent of organizations. Two-thirds of data security professionals also indicate that bad actors maintain a major advantage over information security teams. Both of those figures come from the latest (2020) version of Enterprise Strategy Group (ESG) and the Information Systems Security Association’s (ISSA’s) ongoing survey of cybersecurity professionals. In a separate study, ESG and ISSA find that COVID-19 and the shift to remote working models have 1) forced information security teams to reshuffle their priorities and activities; and 2) elevated their stress levels as the volume of cyber-attacks has increased (since March). Data security talent is more difficult to find and more expensive than ever, Garrubba emphasizes. “The IT headhunters I know who are conducting security searches right now tell me they don’t know when they’re going to sleep,” he reports.
- Elevating availability: As leading organizations seek to rebalance their three-legged data security and privacy stools, they’re also realizing the value of sustaining attention, and resources, on availability, given its role in enabling organizational resilience. Garrubba expects some companies to consider creating a C-level position, a chief availability officer, dedicated to enabling that resilience. “For many years business continuity and business resilience professionals operated in their own silos with less interaction that they ideally should have maintained, though not necessarily through any fault of their own,” Garrubba adds. “In many cases, other parts of the organization would reach out to those responsible for availability only when a new regulation required them to do so. Now that so many workforces are operating remotely, all of the interdependencies that enable an organization to maintain access to its systems and data in a cloud environment have become painfully clear.”
To alleviate that pain, more TPRM teams will be rebalancing how they manage confidentiality, integrity and availability in 2021 as normalcy slowly returns.