
igor - Fotolia
Top enterprise GRC and security predictions for 2015
Can we leave the "year of the breach" title to 2014? In this #GRCChat recap, participants shared their enterprise GRC and security predictions for 2015.
"The year of the data breach." "A banner year for breaches." "The year of the hack -- get used to it." Those are just some of the ways in which 2014 has been described. Considering that almost half of companies were breached last year, up about 10% from 2013, it's not shocking that, to many, reports of a new cyberintrusion represent just another typical day.
But when that string of data breaches culminated with the large-scale attack on Sony Pictures, consumers, corporations and media outlets alike did flinch. It wasn't just any old breach -- this time, the company's employees and their sensitive information were targeted, and Sony is now dealing with the financial and legal aftermath. This attack on a private company was soon labeled "one of the gravest national security dangers to the United States" by the FBI and the U.S. government.
The threat landscape has changed, and hackers' motivations are now more complicated than ever -- putting companies at even greater risk. So we posed the question to our SearchCompliance #GRCChat participants: Where does this leave today's organizations as they struggle to improve enterprise governance, risk and compliance (GRC) and security processes to better protect both corporate and personal information?
What are your GRC predictions for 2015?
Given the spate of high-profile hacks in 2014, SearchCompliance Site Editor Ben Cole predicted that companies will look more to big data analytics to inform their GRC decisions. SearchCIO Senior News Writer Nicole Laskowski agreed:
.@BenjaminCole11 Yes! Including unstructured data analysis -- so tools like text analytics will begin to play a role. #GRCchat
— Nicole Laskowski (@TT_Nicole)
December 18, 2014
A3 (cont) instead of the amount of big data being a GRC burden, companies should be using that info to their advantage #GRCchat
— Ben Cole (@BenjaminCole11)
December 18, 2014
Specifically, organizations are likely to use big data tools to analyze data that's already available, such as network logs and employees' data footprints, and share this information across business lines in order to glean insight into suspicious anomalies or behaviors. And as Laskowski points out, parsing unstructured text and binary data can also provide useful intelligence. Visa is one of the big-name companies that's taking advantage of analytics for security, using various models to target credit card fraud.
Participant Forvalaka41 predicted that the data breach at Sony Pictures, which many cybersecurity experts are speculating involved an insider, will lead to an increase in cyberthreats targeting both personal and corporate data. Senior Managing Editor Rachel Lebeaux expects that companies will resort to new tactics to combat these threats:
A3: In the wake of Sony, I expect the threats to increase dramatically if not so publicly. #grcchat
— Forvalaka41 (@Forvalaka41)
December 18, 2014
@ITCompliance A3 As discussed in last #GRCChat, despite legal limitations in place, I expect more active cyberdefense http://t.co/yvEpw8ni2W
— RachelTT (@RachelatTT)
December 18, 2014
According to Experian's 2015 data breach forecast report, some of the leading contributors to increased threats this year will be the Internet of Things, cloud data, consumer apathy regarding data protection and – as follower Mark Underwood hints at below -- insider threats, which a majority of companies will overlook.
Companies in the private sector are already showing signs of frustration that they can't adequately defend themselves against increasingly sophisticated attacks, looking outside the government and seriously considering active cyberdefense tactics. Cybersecurity and law enforcement experts strongly advise against "hacking back," however, instead urging firms to bolster existing defenses with methods such as insider threat detection using continuous evaluation programs (CEP) and Bayesian logic, which Underwood highlights:
A1 Insider threat & Bayesian methods for after-breach events, but tools are costly, clumsy with many false positives w/o CEP #grcchat
— knowlengr (@knowlengr)
December 18, 2014
Underwood also predicts that more executives will see the value in involving HR in the security process and training as they realize that, first and foremost, security is about people's behavior and tendencies:
A1 Predicting lots discourse around Sony incident with few wholesale #compsec change. Should impact training, HR but so unglamorous #grcchat
— knowlengr (@knowlengr)
December 18, 2014
@ITCompliance A3 Predict #GRC professionals will want more input in business decisions in wake of breaches http://t.co/w7yPCj1kXO #GRCChat
— RachelTT (@RachelatTT)
December 18, 2014
GRC and security pros are itching to pull up a seat at the table -- and rightly so, as organizations recognize that security is vital to the bottom line. Security won't just be baked into HR and employee training, Lebeaux predicts, but also other business and IT processes.
Participant Dan Sanders was more conservative in his enterprise GRC predictions for this year, arguing that the myriad security viewpoints from businesses, the government and law enforcement might amount to a standstill, not a catalyst:
@ITCompliance A3 I expect more muddied water btw biz, gov, and law enforcement. Too many diff opinions, and no impetus to change #grcchat
— Dan Sanders (@dansanders)
December 18, 2014
@RachelatTT We've had big hacks for years - and still have them. No impetus yet, it seems. :-) #grcchat (maybe hacked is the New Normal?)
— Dan Sanders (@dansanders)
December 18, 2014
@Fran_S_TT @ITCompliance Nope; IMO we have a Culture of Trendy Opposition. (that's for another discussion) #grcchat
— Dan Sanders (@dansanders)
December 18, 2014
Prediction: Continued lack of transparency about breach causes & remediation actions. More CYA than > @softwareqc #grcchat
— knowlengr (@knowlengr)
December 18, 2014
"Trendy opposition" or not, perhaps Sanders has a point: Cyberattacks, particularly of a financial nature, are happening so frequently that some companies now barely wince when they occur (unless they are the target). But despite this desensitization, "the boundaries of cybercrime and cyberespionage, whether it's a for-profit motive or a reputational motive, are changing," said Rob Roy, federal chief technology officer for HP Enterprise Security.
Enterprises can't be lackadaisical in their cybersecurity preparation or response. The new year could be their chance to take the first step in facing these attacks head on, starting with greater transparency between organizations and with law enforcement, as Underwood suggests.
What's your enterprise GRC and security forecast for 2015? Please sound off in the comments section below.