In 2018 we started to see the effect of a global grassroots movement that demands stronger data privacy parameters. As of December 2018, reported US-based breaches totaled over 1,000, with 561,782,485 individual records exposed. And in healthcare alone, there’s been quarter over quarter increases in data breaches – so far totaling 9,033,352 records from 334 breaches.
Despite the headlines, there is a trend toward real change, and for 2019, I predict the following:
1. Certifications to demonstrate data security excellence will continue to proliferate.
HITRUST in healthcare (which is currently expanding to other industries) leads the pack right now. However, HITRUST-certified Anthem pointed out an Achilles heel – meeting strict compliance standards doesn’t equal strict security standards. Will that affect its popularity? Only time will tell. Companies need to remember that being compliant does NOT equate to being secure.
I believe that we’ll see SOC 2 continue to gain popularity across industry sectors. A SOC 2 report, the go-to for organizations to prove system controls excellence, is an attractive, agnostic choice for many companies because its Trust Services Criteria covers operational processes, policies and staff activities. A SOC 2 attestation report is audited by an independent third-party CPA firm, which adds to its credibility.
2. Integrated Risk Management (IRM) will gain traction.
Thanks to the proliferation of IoT and personal technology, data is being generated at a phenomenal pace. Risk has evolved and organizations are still learning what their risk appetite is. Too little risk and a company doesn’t grow, too much risk and it fails. Organizations often spend money buying the latest shiny new cyber-tool, rather than focusing on developing a broad risk-based approach. Recognizing how risk can affect market value will make companies get strategic about managing it.
GRC will continue to be a component - however - the broader consideration of risk from the enterprise level will be a greater factor. Gartner is also in agreement, stating that managing risk is “essential for digital transformation.”
[Learn why IRM is becoming the preferred approach to data security]
3. Data security will move from the tech department into the board room.
For years, cybersecurity and data privacy hasn’t been much more than a budget line item for companies. Security budgets traditionally have been delegated to the CISO. As a result, solutions tended to be tech rather than people focused.
While technology should play a key role in any cyber defense strategy, risk management must come first. In the cloud-based, IOT orientated environment we operate in, no technology can, on its own, ring-fence our data. Therefore solutions need to be a combination of people, process and technology - which starts at the board level. In 2019, I believe that security will have to become part of overall business operations and organizational strategy, to the benefit of consumers, business partners and the bottom line.
4. Government regulations and agencies will sharpen their teeth.
Compromised data privacy and security is a threat to the economy. The EU’s enactment of the General Data Privacy Regulation (GDPR), the state-driven California Consumer Privacy Act (CCPA) that will come into effect in 2020, and the US Food and Drug Administration’s (FDA) continued positioning on security are all responses to incessant data privacy and security attacks. Even US state Attorneys General are now banding together to make HIPAA enforcement more effective, Although penalties are growing harsher, I believe there still needs to be more enforcement. For large, multinational companies the cost of a breach penalty may pale in comparison with their overall revenues. I believe this to be the case with Marriott, and their breach of 500 million guests’ data. Will 2019 see harsher fines? When the enforcement arms of GDPR ramps up, I believe so. With CCPA following in 2020.
5. Employee training importance will continue to be elevated.
Creating a privacy and security aware workforce is a requirement of every single regulation and corrective action plan for a reason. No matter the technical defenses a company deploys, the human factor is integral to successful data protection. Just think of the damage an employee can do by clicking on a phishing link! The culture of cybersecurity and successful risk management starts with an organization’s people.
We’ve come to the proverbial fork in the path. Fortunately, trends look like the alternate “less traveled” path is going to get busy in the year ahead.