This past year has been, definitively, the most transformative time in infosec’s history. With entire workforces unpredictably shifting to required remote access nearly overnight, the demand for companies to completely rethink security in 2020 grew to a fever pitch by mid-March…and then never let up.
As businesses begin to come to terms with the permanence of so many of these changes, infosec will be faced with solidifying, strengthening and accepting the industry’s new normal — and developing more comprehensive and efficient information security programs in the process.
So where will they start? That’s what we wanted to know. So we went straight to the source: our customers, industry peers, CISOs advisors and industry analysts.
Word on the street is that information security in the year ahead is all going to come down to a few key areas of focus. Here are ZenGRC’s top five predictions for how this will all play out in 2021:
1. Expect non-stop audits coming at you from everywhere, all the time.
With any increased level of risk, an increased level of concern is sure to follow — but not only from the usual suspects this year. In addition to an increase in regulatory and privacy requirements, start expecting your customers — and even vendors — to build audits into their contracts moving forward. Any trust you may have established prior to 2020 can no longer be counted on, in part because your customers and vendors are being audited, too. Their data (which belongs to someone else upstream) is in your new, off-prem, cloud-based, higher-risk hands, and they’re going to expect you to know how to protect it.
2. You will have to go above and beyond simple certifications.
Historically, completing security certifications meant you were compliant with regulatory standards, which for most companies was the goal: to clear the bar and simply comply. But with an increase in audits and security expectations coming from all angles, companies will be going above and beyond simple certifications in 2021 to satisfy these expectations preemptively. This will mark a decisive shift from businesses having the goal of being compliant to having the goal of being truly secure.
3. Privacy regulations are about to undergo big changes.
In the past five years, we’ve seen increased privacy regulations slowly building momentum as states and regions began adopting and implementing their own separate, additional regulations, like GDPR and CCPA. But in 2021, infosec needs to prepare for rapid expansion and adjustments to privacy regulations well beyond Europe and California. This will require investing in the right resources to keep up with these changes: think local, nuanced, variant regulations that are layered, sometimes overlapping, and constantly evolving.
4. Risk will be top-of-mind across the organization.
This isn’t necessarily as bad as it sounds. In fact, historically, infosec was the only department truly concerned with risk, which caused a tremendous amount of disregard and disrespect for the regulations and expectations laid out across an organization. But in 2021, you can expect other departments to finally feel similarly. From supply chain to financial to brand, the desire to understand, appreciate and mitigate risk will be felt — and taken seriously — across the board.
5. As costs pill up, you’ll need to come with a new cost-justification strategy.
By shifting to a more proactive and comprehensive security prevention plan, the pressure will continue to be on CISOs to justify their expanded spend to the board — but this year, they will need to build a new strategy.
Typically, one could justify investing in a service by explaining it against the cost to staff a few employees to deliver the same outcome. One tool is often a less-expensive investment than multiple headcount. But a large part of a company’s shift toward comprehensive security is to satisfy required customer demand and protect the business from increasingly costly regulatory penalties. So for CISOs in 2021, be prepared to not only justify investment against headcount, but to leverage increased demands from customers, vendors and increasingly stringent regulatory penalties.
No doubt 2021 will be a pivotal year for businesses across the board. Be prepared for increasing audits. Be prepared for increasing regulations. Be prepared to talk about risk to your board. Be prepared to justify spend. Even more, be prepared to accept that this is the norm.
After all, compliance doesn’t stop. Regulations don’t take a break. And neither do the barrage of requests from your customers. No matter what industry, the ability to mature your information security program and transform it from a cost center to a business enabler is going to be key to building and maintaining the trusted relationships necessary for doing business.