Ask the experts: The most important GRC trends of 2023 (Part 2)
When it comes to Governance, Risk, and Compliance, vigilance is everything.
GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.
And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.
So here you have it. Straight from the sources. The most important GRC trends to look out for in 2023 (Part 2).
Sushim Roy, GRC Expert at Big 4 Accounting Firm
“Your biggest GRC challenge isn’t finding the right tools; it’s maintaining accountability within your team.”
Many voices in the GRC space focus on identifying new capabilities to improve their frameworks.
While I agree that GRC managers always need to optimize their tools, I don’t think this is the main challenge facing GRC leaders today. There are a lot of great platforms out there. With a little research and testing, managers can find the ones that are right for them.
From my perspective, the biggest challenge is from the organizational perspective.
I’ve headed GRC efforts in many large organizations, and the consistent issues are always related to the role setup, communication, and most importantly, designing the framework so that the company management can follow the processes and decision-making.
In any organization, there are a range of compliance and security risks. The most important question GRC managers need to be able to answer is this: “Who owns each particular risk?” or, in other words, who is responsible for addressing this particular GRC need, and who is responsible for following up when there is an issue? What allows you to answer this question is clear visibility. If you’re taking on a new leadership role in GRC, I strongly recommend: this should be your first priority. Divide the organization into sections so you can delineate responsibilities and better quantify risks and requirements.
The manager then needs to make sure that executives know who holds each of these roles so that coordination can take place between all the relevant parties: the executive overseeing the domain, the GRC manager, and the GRC analyst responsible for the specific task. Conversely, the individual analyst needs to know which executives to reach out to when there is a need to make a change, introduce something new to the framework, or report an incident.
Once the GRC manager has this clarity, the entire job will go much more smoothly—and effectively.
Debra Baker, CEO of TrustedCISO
“The hackers also know the rules, so protecting the network will mean going above and beyond.”
I think there are a few points to watch out for.
One important trend we’re seeing is a really strong emphasis on privacy controls. Regulators are starting to put more emphasis on this. For example, we saw recent changes to NIST 853b bring in more recommendations on that topic. Ultimately, this means that potential clients and buyers will pay attention to these controls in order to have confidence in the product or service they’re acquiring.
To get a handle on this, GRC managers will want to look more closely at automation techs to make these controls work more efficiently.
Another welcome change we’re seeing is a shift in perspective on security risk management. At the end of the day, network security needs to be viewed within the overall risk management of the enterprise as a whole, and that’s increasingly how executives are looking at it. This is in stark contrast to how many GRC experts have viewed (and continue to view) security and compliance—basically, follow the rules in the best way you can and as efficiently as you can. Now, that’s great if your only goal is to stay compliant. But not if you’re trying to stay ahead of the risk factors in the real world. Think of it this way: cybercriminals know the rules, too. So they know what’s likely to be protected and what vulnerabilities exist.
Having an outward-looking approach to quantify what are the real-world challenges and adversaries is really the only way to go.
Merav Vered – VP GRC & Strategic Initiatives at Vendict
“In 2023, the trend that started five years ago with GDPR will hit a new height.”
This year will be a game-changer as far as GRC is concerned.
What we’re seeing now is the escalation of a trend that began in 2018 with GDPR.
The shift has been from perceiving cybersecurity as a mere burden that in most organizations went unnoticed, to a business vector that should be carefully analyzed, planned, monitored, and, above all, receive managerial attention and resources. This process has been gradual. And despite the impact of GDPR, many organizations are still lagging behind. The main reason for this was that many sectors were still able to avoid the huge weight of regulations since they weren’t really regulated too intensely.
Well, by the time 2023 is over, there’ll be far fewer organizations that have merely a handful of regulations to follow. This will create a sense of urgency to quickly adapt or risk security breaches or being shut out of business opportunities due to cybersecurity implementation gaps.
Some examples of what I’m talking about:
The European Parliament has introduced two new regulations, the Digital Services Act (DSA) and the Digital Markets Act (DMA), which will be enforced to achieve reliable digital usage while protecting customers and companies in business competition. Heavy fines will be imposed on violations. These regulations will force any company with business in the EU to seriously prepare and commit to cybersecurity and privacy frameworks, or else.
In addition to these, it is apparent that cybersecurity has been escalating. In the US, we’re watching a similar trend, but at the local level. State governments are no longer waiting for a unified federal framework, but are adopting their own laws. Companies are now examining legislation like the Virginia Consumer Data Protection Act which has been effective since January; the Colorado Privacy Act, which will come into force in July; and the Utah Consumer Privacy Act, which will take effect in December.
So we are all experiencing this global trend where regulators all over the world are trying to create common cybersecurity landscapes. 2023 is a major milestone in this journey.