To say that the events of 2020 were unexpected is an understatement. The impact of the COVID-19 pandemic on businesses and business practices has turned the world upside down. Businesses have been forced to pivot from staff working on premises to a distributed work-from-home environment virtually overnight.
The result is that companies large and small, public and private, have had to address risk and compliance issues on the fly, making decisions about how to manage their corporate governance and security with little or no warning or preparation.
With the initial, “reaction-based” period behind us, businesses now have an opportunity to re-evaluate their approach to internal and external risk management, network security with remote staff, and regulatory and compliance issues affecting their business.
As companies look ahead to 2021, we’d like to offer our views on what we see are the major trends for Governance, Risk Management, and Compliance (GRC): Automation, data analytics, data privacy, interoperability, and third-party attest.
Trends in Automation
When companies mature and more employees require some level of access across the organization’s business systems, it becomes harder to track issues such as access provisioning and approvals, Segregation of Duties (SoD) risks, and audit certifications. Many GRC tools (like Fastpath) are now including automation, which will go a long way in streamlining the audit process with greater efficiency, completeness, and accuracy.
Trends in Data Analytics
As more and more companies move to cloud services and ERPs the question becomes ‘How do you make sense of all of this data?’ Whether it is using machine learning, artificial intelligence, or business intelligence software each is trying to help the user make sound decisions while analyzing large amounts of data. There are great services provided by big name companies for each of these areas, but the next question must be ‘How do we secure the data in these analytics systems?’ Most of these services have some sort of ‘ingestion engine’ which means data is being moved to and processed by their system. This opens another attack vector for potential hackers as while you may highly secure your cloud service or ERP, how much time and effort do you put in to securing your business data analytics software and the data it contains? Therefore is important to take a holistic approach to looking across systems to get a full idea of what users have access to.
Trends in Data Privacy
Since the introduction of the EU’s General Data Protection Regulation (GDPR), numerous countries have followed suit, but many are still playing catchup. Within the U.S., the absence of federal regulation will lead to the continuation of state-level regulations being passed in 2021. Depending on where you do business, you may be subject to one or many different data privacy regulations with different standards. The laws and regulations in place are consistently reviewed and being expanded on as well. Most recently, California passed the California Privacy Rights Act (CPRA) modifying and expanding on existing rights as well as introducing new ones. Due to this dynamic regulatory landscape, more organizations will focus on the data management and governance practices holistically in preparation of future regulatory obligations.
Trends in Interoperability
As companies grow, mergers and acquisitions are more common. These companies find they must assimilate not just the employees from these acquisitions, but also various business systems – such as ERP, HR, and CRM – into their corporate environment. It is not uncommon for a company with subsidiaries to be running Microsoft Dynamics, NetSuite, and SAP simultaneously. Each of these systems has its own process of assigning user privileges, which becomes difficult to manage as the number of users requiring access to these various systems grows.
More and more, GRC tools can work across these numerous applications, looking at the GRC requirements of the organizations holistically and not just as individual applications. This demand for universal interoperability has led GRC tools and business applications alike to standardize Application Programming Interfaces (APIs) so that each application will be able to communicate with any other application out-of-the-box.
Trends in Third-Party Attest
The primary form of Third-Party Attest (TPA) that most organizations consume is in the form of a SOC I or SOC II report. SOC reports are a third-party compiled and validated report on controls at service organizations – these are required where vendor-managed software is relevant for organizational or regulatory control. In other words, where a vendor’s controls matter to a user, this is the primary means (other than a direct audit) to determine if vendor controls are designed and operating effectively.
The SolarWinds hack in 2020 begs another question – why aren’t on-premise software companies subject to the same standard? If SolarWinds customers knew that password and change management controls were not designed effectively enough to capture nefarious code inserts, they would have had the chance to remediate their risk. In 2021, companies will begin to ask more targeted questions of their on-premise software vendors. Most likely, there will be the requirement of AT101 reports, and eventually a SOC-like standard to require on-premise software vendors to communicate their control design and effectiveness to their customers.
Looking ahead to 2021, there are many opportunities for companies to not only catch up on GRC, audit, and IT security, but also to get ahead with the right tools and technology. Watch a brief demonstration of the Fastpath Assure platform below, or Contact Us for a customized product demo.