When it comes to Governance, Risk, and Compliance, vigilance is everything.

GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.

And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.

So here you have it. Straight from the sources. The most important GRC trends to look out for in 2023 (Part 2).

Sushim Roy, GRC Expert at Big 4 Accounting Firm

“Your biggest GRC challenge isn’t finding the right tools; it’s maintaining accountability within your team.”

Many voices in the GRC space focus on identifying new capabilities to improve their frameworks. 

While I agree that GRC managers always need to optimize their tools, I don’t think this is the main challenge facing GRC leaders today. There are a lot of great platforms out there. With a little research and testing, managers can find the ones that are right for them.

From my perspective, the biggest challenge is from the organizational perspective. 

I’ve headed GRC efforts in many large organizations, and the consistent issues are always related to the role setup, communication, and most importantly, designing the framework so that the company management can follow the processes and decision-making. 

In any organization, there are a range of compliance and security risks. The most important question GRC managers need to be able to answer is this: “Who owns each particular risk?” or, in other words, who is responsible for addressing this particular GRC need, and who is responsible for following up when there is an issue? What allows you to answer this question is clear visibility. If you’re taking on a new leadership role in GRC, I strongly recommend: this should be your first priority. Divide the organization into sections so you can delineate responsibilities and better quantify risks and requirements. 

The manager then needs to make sure that executives know who holds each of these roles so that coordination can take place between all the relevant parties: the executive overseeing the domain, the GRC manager, and the GRC analyst responsible for the specific task. Conversely, the individual analyst needs to know which executives to reach out to when there is a need to make a change, introduce something new to the framework, or report an incident.

Once the GRC manager has this clarity,  the entire job will go much more smoothly—and effectively. 

Debra Baker, CEO of TrustedCISO 

“The hackers also know the rules, so protecting the network will mean going above and beyond.”

I think there are a few points to watch out for.

One important trend we’re seeing is a really strong emphasis on privacy controls. Regulators are starting to put more emphasis on this. For example, we saw recent changes to NIST 853b bring in more recommendations on that topic. Ultimately, this means that potential clients and buyers will pay attention to these controls in order to have confidence in the product or service they’re acquiring.

To get a handle on this, GRC managers will want to look more closely at automation techs to make these controls work more efficiently. 

Another welcome change we’re seeing is a shift in perspective on security risk management. At the end of the day, network security needs to be viewed within the overall risk management of the enterprise as a whole, and that’s increasingly how executives are looking at it. This is in stark contrast to how many GRC experts have viewed (and continue to view) security and compliance—basically, follow the rules in the best way you can and as efficiently as you can. Now, that’s great if your only goal is to stay compliant. But not if you’re trying to stay ahead of the risk factors in the real world. Think of it this way: cybercriminals know the rules, too. So they know what’s likely to be protected and what vulnerabilities exist. 

Having an outward-looking approach to quantify what are the real-world challenges and adversaries is really the only way to go. 

Merav Vered – VP GRC & Strategic Initiatives at Vendict 

“In 2023, the trend that started five years ago with GDPR will hit a new height.”

This year will be a game-changer as far as GRC is concerned. 

What we’re seeing now is the escalation of a trend that began in 2018 with GDPR. 

The shift has been from perceiving cybersecurity as a mere burden that in most organizations went unnoticed, to a business vector that should be carefully analyzed, planned, monitored, and, above all, receive managerial attention and resources. This process has been gradual. And despite the impact of GDPR, many organizations are still lagging behind. The main reason for this was that many sectors were still able to avoid the huge weight of regulations since they weren’t really regulated too intensely. 

Well, by the time 2023 is over, there’ll be far fewer organizations that have merely a handful of regulations to follow. This will create a sense of urgency to quickly adapt or risk security breaches or being shut out of business opportunities due to cybersecurity implementation gaps.

Some examples of what I’m talking about: 

The European Parliament has introduced two new regulations, the Digital Services Act (DSA) and the Digital Markets Act (DMA), which will be enforced to achieve reliable digital usage while protecting customers and companies in business competition. Heavy fines will be imposed on violations. These regulations will force any company with business in the EU to seriously prepare and commit to cybersecurity and privacy frameworks, or else.

In addition to these, it is apparent that cybersecurity has been escalating. In the US, we’re watching a similar trend, but at the local level. State governments are no longer waiting for a unified federal framework, but are adopting their own laws. Companies are now examining legislation like the Virginia Consumer Data Protection Act which has been effective since January; the Colorado Privacy Act, which will come into force in July; and the Utah Consumer Privacy Act, which will take effect in December.

So we are all experiencing this global trend where regulators all over the world are trying to create common cybersecurity landscapes. 2023 is a major milestone in this journey.

When it comes to Governance, Risk, and Compliance, vigilance is everything.

GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.

And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.

So here you have it. Straight from the sources. The most important GRC trends you should be on the lookout for in 2023.

Kevin Thomson – GRC Manager at Cognizant

“Smart systems powered by AI will bring a new level of accuracy and efficiency to GRC controls and metrics.”

The biggest trend we’ll see in the coming year will be smart systems that help make GRC more accurate and efficient.

In the GRC space, everything kinda falls into the realm of controls, policies, or metrics.  

You wanna have better controls—you know, firewalls, authentication tools, that sort of thing—better policies on how those controls are used, and super accurate metrics on how those policies are actually being implemented and how effective they are.

Collecting evidence across your controls and policies can be tedious, to say the least, especially when you’re dealing with a large organization. But once we have smart systems powered by AI to collect all this info, getting a better read on how well our GRC framework is doing will be much—and I mean much—easier.  

To prepare for audits, all GRC managers will need to do is print out a report based on all the data collected across the organization. What’s even better is that since the report is being generated by a computer, it can frame the compliance status in hard numbers instead of talking in highly technical details pertaining to a given department, system, or regulation. Here’s a pretty straightforward example: Let’s say you have 20 employees in a specific department, but only 10 have completed the required training to be in compliance with personnel regulations. The AI will recognize that and interpret it as 50 percent compliance. 

This is extremely important when it comes to communicating numbers to the board and CEO, who are likely not that familiar with the compliance jargon. What they want to know is how close they are to the goal, and what resources they need to invest in order to get there. 

Sumitra Lohiya – GRC Manager at Wipro UK

“Cloud systems will be vital for robust GRC frameworks.”

Integrating cloud systems and their security controls will be an important measure for GRC in the future.

Cloud-based systems offer vital benefits for creating robust GRC frameworks. Centralizing identity management helps make sure access controls are being applied uniformly and makes them easier to revoke when needed. The cloud also enables an organization to scale up or down resources as needed, making it easier to accommodate changes in their risk profile. 

Finally, there’s the cost factor. Cloud systems can dramatically lower the costs associated with GRC, as organizations don’t need to invest in expensive hardware and software to support their GRC initiatives.

Amiran Sapir – GRC SAP Manager, Big Four Consulting Firm 

“Growing dependence on third parties and the increase in third-party hacks means more pressure to tighten vendor policies.” 

I’ve been keeping an eye on several important developments in GRC. 

From my vantage point, I can see two truly game-changing trends emerging.

First on the list is an increased focus on Third-Party Risk Management (TPRM). Driving this is the growing dependence on third-party relationships in the digital era and the noticeable increase in third-party hacks affecting the digital sphere. This means that GRC managers will be under more pressure to secure their organizations’ vendor policies, either by the board or by new laws mandating it. 

Second is the heightened emphasis on cybersecurity risk management. C-level execs now understand that information security is not a static thing. The “buy the best platforms, set and forget” approach is no longer enough. The threats are constantly evolving. Furthermore, an organization can only dedicate a limited number of resources to cyberspace. So organizations are going to start looking for a more strategic approach to cyber defense: quantifying risk, figuring out real ROI on cyber investment, and creating a strategy based on these metrics. GRC managers will ultimately build their frameworks in the future based on these measurements. 

Nick Dolinich – GRC Analyst at Johnson & Johnson 

“From a security perspective, the golden standard is secure by design. This means development teams want to get GRC guys involved in the early stages.”

From my perspective, one of the most important developments in GRC is the approach to product development. 

Everyone knows that from a security perspective—and therefore from a compliance perspective—the golden standard is “secure by design.” This means that development teams want to get GRC guys involved in the early stages of the product development. This is really a win-win since whenever security is a focus from the start of development, it ends up making the job of GRC analysts and managers a hell of a lot easier. 

What’s pushed more organizations to adopt the GRC-development partnership is the growing complexity of regulation. Here in the US, many states are adopting their own data security laws. So you end up having one standard for California, another for Colorado, and another for New York. So it gets pretty complicated pretty quickly. If you can know your compliance requirements from the get-go, it makes everyone’s lives a lot easier. This will probably require some organizational changes in some companies—for some it’s a foreign concept for GRC and product guys to collaborate in this way. But I definitely think the GRC industry is moving in that direction.

And so, to sum it all up, we’re looking at four super impactful changes coming down the pipe for enterprise compliance: 

#1 – First, the use of AI-powered smart tech to improve metrics and controls—elements that lie at the heart of any GRC strategy. 

#2 – Next is the opportunity to scale GRC implementations smoothly and effectively by adopting cloud capabilities. 

#3 – GRC managers will focus more and more on third-party risk management and ensuring their vendors are secure.

#4 – In order to optimize compliance input for their products, companies will begin to integrate GRC at the development level, which will likely bring about changes in the workflows and processes businesses are currently using.   

Thanks to our experts for the amazing, value-added insights. 

Keep an eye out for Part 2 of our “Ask the Experts” series.

Bye for now. 

One of the greatest parts about my job is being able to get a global perspective on the state of infosec. 

I’ve the opportunity to talk to amazingly talented people, get their opinions on important trends, and hear their real-world experiences. 

Vendict is, at the end of the day, a platform dealing with third-party risk. TPRM is what we’re trying to deliver to customers, and it’s the risk we’re ultimately trying to mitigate.

Unfortunately, the risk associated with third parties has really gotten out of control. 

Day after day, we see in the headlines that even big companies that have the resources to address this problem are falling victim to third-party hacks.

One of the symptoms of this situation is that it’s really hard to get a quantifiable picture of how TPRM is affecting organizations. 

So at Vendict, we decided to do a deep dive.

To unpack what we discovered, we divided the data into three categories:

• The actual risk of third-party hacks in the cybersphere as a whole
• The operational burden that organizations have to deal with in addressing TPRM 
• The reputation factor that TPRM brings to the table

Let’s jump in:  

Actual Risk

You don’t have to rely on anecdotes. 

The best data we have confirms that third-party hacks are on the rise, and have been for a while. 

The first thing to consider is that these hacks constitute a larger portion of all security breaches. In fact, they’re now the most common vulnerability behind all data incidents. Experts estimate that today, about 60 percent of all data breaches today occur via third-party vendors.

The second factor to keep in mind is the damage being inflicted by these hacks. In research put out by the Ponemon Institute, the researchers found that the average cost of a data breach caused by a third party has increased from $370,000 to $4.29 million in just three years.  

So yes, third-party hacks are much more common today than they were just a few years ago, and they also have much greater impact.  

The last point in terms of quantifying the general threat of third-party hacks is that not all industries share the same level of risk. For example, the healthcare industry is being hit much harder than other sectors. In 2021, 33% of all attacks involving third parties targeted hospitals and other healthcare organizations. That’s really quite remarkable when you think about it. 

The discrepancy in risk levels is hugely important for GRC managers and CISOs who are trying to develop frameworks for their respective organizations.

Operational Burden

Beyond the actual risk of third-party attacks, there is the burden that businesses must bear in addressing that risk.

And here’s where the problem gets bad. 

You see, TPRM is actually a complicated thing, and it’s only getting more complicated as more and more IT services are being outsourced and the digital supply chain becomes more nebulous. This means staying on top of third-party risks requires a lot of work—more work than many companies are able to put in.   

Today, over 50% of companies across all industries say that managing third-party security is too overwhelming and stressful. Surveys across industries show that more than half of companies say about themselves that they do not thoroughly review each third-party’s security and privacy procedures before integrating them into their network. By the same token, 65% of firms report they have not even identified all their third parties that have access to their most sensitive data, and 54% of organizations do not have a complete list of the third parties that can access their network. 

With the burden of TPRM increasing rapidly, it’s no wonder that 48% of organizations already deem third-party relationship complexity as their main problem from a business flow perspective.

Reputational Burden

I know we are painting a pretty bleak picture here. But stay tuned, because there is a silver lining.

The last factor we considered in exploring TPRM is the reputational factor, which is to say, how third-party risk affects a company’s ability to close deals. 

There’s more awareness of third-party hacks today than ever before. Surveys of IT executives revealed that the vast majority (over 79%) have experienced a third-party hack on their watch in recent years. This trend led Gartner to predict that nearly half of all organizations in the world will have experienced a third-party hack by 2025. What this means is that security teams and their bosses are being more selective about services that have a higher prevalence of third-party incidents. 

Here as well, industry-to-industry differences matter. For instance, third-party security breaches are much more common among software publishers than in other service providers. A recent report by security firm Black Kite shows that software publishers are involved in 23% of all third-party incidents. 2022 was the third consecutive year that software publishers were the most common industry connected to third-party breaches. 

An Opportunity in Disguise

So here’s the good news I promised. 

You don’t have to approach these numbers with a fatalistic outlook. On the contrary, the state of TPRM today offers companies a huge opportunity to grab the third-party challenge by the horns.

At Vendict, we like to say: “We’re not here to solve compliance problems. We’re here to turn compliance into an asset.”

That’s exactly what can be done with regard to TPRM. 

Companies that take responsibility, and go out of their way to show their client base that they take third-party risks seriously, automatically give themselves a huge competitive edge. 

This, in my humble opinion, is the real takeaway from the current state of third-party risk management: The chance to turn risk into an added value for the business is right in front of us. 

We, at Vendict, will harness the power of linguistic-generative AI to help with security and privacy compliance and risk management.

I’ve spent countless hours talking with CISOs and sales managers across every industry, learning about their challenges with compliance processes.

From all of these conversations, I can tell you that there are some points that everyone seems to miss—and that end up costing both resources and potential sales.

Remember, the questionnaire is not just a formality.

Your potential client wants to know if you’re (A) trustworthy and responsive, and (B) if you know what you’re talking about when it comes to the safety of your company and product.

So first things first: Accurate and complete information is key.

For all the sales reps out there desperately trying to cross these tedious assessments off their to-do lists, keep in mind that every follow-up question adds ON AVERAGE four days to the sales cycle.

Number 2: Relevance.

Someone on the other side of this deal will read the questionnaire once you send it back. You don’t want to bother them with facts that have nothing to do with their questions.

Next: Specificity.

It can be very tempting to answer a question in a general way, which is technically correct but lacking in details. If a client asks you, for example, if you have certain security protocols in place, answering “Yes” isn’t enough. Responding “We implement the above protocols in the following way…” is an answer a client can smile about 😉

Number 4: Up-to-date.

This means coordination between sales, the compliance team, and the security people. If key security features change, make sure everyone who needs to know actually does. If you have the same answers on reserve without ensuring they’re up-to-date, that’s an embarrassment waiting to happen.

Last but not least: Consistency.

This means providing consistent answers across all sections of the questionnaire. If there are overlapping questions in a questionnaire (and I assure you there will be), it’s vital that there are no discrepancies between them. Even if all the answers are correct on their own, the fact that different answers are given on the same topics will set off a red flag in the client’s mind.

So there you have it. The five pro tips everyone seems to be missing when it comes to tackling security questionnaires.

Remember, questionnaires, as annoying as they can be, are an important opportunity to show the client your expertise, professionalism, and ability to address their concerns. Keeping the questionnaires sharp and on point is one of your biggest assets.

One of the most important things for me as a CEO is to get a full understanding of our clients’ business challenges around data and compliance.

A big part of my job in leading Vendict is to listen carefully to the customers, understand their problems, and act on their feedback..

A few months ago, the Vendict team decided to pose some questions to tech and compliance professionals to get their take on how compliance affects their jobs.

Well, the results are in. And I’ve got to say, they’re pretty revealing.

During the survey, we interviewed over 50 individuals, including account managers, sales professionals, and SDRs working in the SaaS, PaaS, IoT, and other tech areas. Each of them has years of experience dealing with security compliance in a business context. We asked each of them three questions:

1. What would you say is the biggest time-waster in your job?

I knew from the start that it was a risk to ask such a general question.. 

We didn’t offer multiple-choice answers. We just asked participants to write freely. The answers could have been very different, and it wouldn’t have been possible to pinpoint the problems I want to solve as a compliance expert..

But in the end, it was worth asking the questions.

Of the non-administrative challenges that respondents listed, the top three time-wasters they described were:

a) Lack of technology to hasten various tasks

b) Technical data not organized or readily available

c) Compliance documentation

TOP FIVE ANSWERS:

• “Lengthy RFPs with endless technical requirements” 
• “Tedious tasks with no automation to help”
• “Poor channels to share relevant info from one department to another”
• “My biggest time-waster is manually filling out Security Questionnaires”
• “ Unnecessary tedious/outdated processes for sorting data”

This speaks volumes about the challenges companies are facing. It also demonstrates how simple technological tool integrations can make a significant difference in a team’s efficiency and overall productivity..  The third response on the list (compliance documentation) is essentially a combination of the first two problems—menial task overload and lack of data organization.

Lesson learned:

Adopting technological platforms that can automate menial tasks and help organize critical information are the investments with the biggest ROI.

2. What routine or process has been implemented in your workplace that has made the biggest difference in your productivity?

We’re all about efficiency at Vendict.

So naturally, I wanted to know what my target audience is up to when it comes to increasing efficiency in the workplace.

By far, the most common response to this question involved integrating technology to better manage information and databases (post-sales call meetings being the distant second).

TOP FIVE ANSWERS:

• “A central place where all communications and customer information can be logged”
• “Having the information needed to complete tasks in one central location and easily accessible”
• “Organizational tools to track data on previous sales and recurring customers”
• “A centralized place where all project and product updates can be logged and accessed by all team members”
• “A Dashboard to log the development of sales processes”

Getting all these similar answers from such a wide array of participants lends a lot of support to the lessons drawn from the first survey question, namely that keeping information organized is a huge driver of company performance. Remarkably, many participants (without us asking, of course) described in more detail why these integrations made their lives easier. The common thread came down to this: They had all this information just sitting there, in their own network, with no way of accessing it—until they brought on the appropriate platform.

3. Do you feel that customers’ security and compliance requirements are making your job more difficult? If so, in what ways?

Understanding the relationship between compliance and business is at the core of my company.

I’ve spent countless hours discussing this topic with clients. But I wanted to hear from a broader set of people in the field..

Now to be 100% honest, to my surprise, I’ve received a few sporadic “no” responses to this question. All I can say to that fortunate handful is: “Heaven has clearly smiled upon you.”

But the rest of the participants, as I’d anticipated, had a different story to tell.

The most common descriptions of how compliance made the job harder were:

a) numerous security inquiries that essentially all contained the same question.
b) time spent filling out security questionnaires, which delays sales cycles..
c) back-and-forth communication between the vendor and buyer holding up the deal from closing.

TOP FIVE ANSWERS:

• “Having to provide security details in specific formats delays sales cycles”
• “Implementing new or unique procedures for compliance affects my ability to perform my role consistently”
• “Compliance is very repetitive, as every client has their own way of asking what are essentially the same question”
• “Delays related to security compliance add a minimum of a week to any deal I work on”
• “Even after we have invested in compliance, clients will come up with additional demands and frameworks that we must comply with”

I think the most important thing to take away from the responses to this last question is how disruptive compliance can be for an enterprise.

It becomes a task with such high resource demands that it can hurt the company’s profitability and put a real dent in its ability to function.

What these responses, and indeed the whole survey, reaffirmed to me was that making compliance easier and more efficient for enterprises is not just a compliance issue—it’s also a business efficacy issue.

Unless an enterprise is able to achieve compliance in a smooth and simplified manner, it is essentially handicapped as a business..

That’s why empowering companies with compliance technology transforms compliance from a liability into one of their biggest assets.

Special thanks to the amazing participants who helped make this expert survey a reality:

• Vaishak Gopi
• Joe Wilson
• Stephanie Krawczyk
• Kevin Nguyen
• Trevor Pernice
• Leran Shoshani
• Matt Modena
• Gavin Olson
• Brett Gardner 
• Douglas Behrend
• Tanmay Mehra
• Christy Teppenpaw