Top enterprise GRC and security predictions for 2015

What are your GRC predictions for 2015?

Given the spate of high-profile hacks in 2014, SearchCompliance Site Editor Ben Cole predicted that companies will look more to big data analytics to inform their GRC decisions. SearchCIO Senior News Writer Nicole Laskowski agreed:

.@BenjaminCole11 Yes! Including unstructured data analysis -- so tools like text analytics will begin to play a role. #GRCchat

— Nicole Laskowski (@TT_Nicole) December 18, 2014

A3 (cont) instead of the amount of big data being a GRC burden, companies should be using that info to their advantage #GRCchat

— Ben Cole (@BenjaminCole11) December 18, 2014

Specifically, organizations are likely to use big data tools to analyze data that's already available, such as network logs and employees' data footprints, and share this information across business lines in order to glean insight into suspicious anomalies or behaviors. And as Laskowski points out, parsing unstructured text and binary data can also provide useful intelligence. Visa is one of the big-name companies that's taking advantage of analytics for security, using various models to target credit card fraud.

Participant Forvalaka41 predicted that the data breach at Sony Pictures, which many cybersecurity experts are speculating involved an insider, will lead to an increase in cyberthreats targeting both personal and corporate data. Senior Managing Editor Rachel Lebeaux expects that companies will resort to new tactics to combat these threats:

A3: In the wake of Sony, I expect the threats to increase dramatically if not so publicly. #grcchat

— Forvalaka41 (@Forvalaka41) December 18, 2014

@ITCompliance A3 As discussed in last #GRCChat, despite legal limitations in place, I expect more active cyberdefense http://t.co/yvEpw8ni2W

— RachelTT (@RachelatTT) December 18, 2014

According to Experian's 2015 data breach forecast report, some of the leading contributors to increased threats this year will be the Internet of Things, cloud data, consumer apathy regarding data protection and – as follower Mark Underwood hints at below -- insider threats, which a majority of companies will overlook.

Companies in the private sector are already showing signs of frustration that they can't adequately defend themselves against increasingly sophisticated attacks, looking outside the government and seriously considering active cyberdefense tactics. Cybersecurity and law enforcement experts strongly advise against "hacking back," however, instead urging firms to bolster existing defenses with methods such as insider threat detection using continuous evaluation programs (CEP) and Bayesian logic, which Underwood highlights:

A1 Insider threat & Bayesian methods for after-breach events, but tools are costly, clumsy with many false positives w/o CEP #grcchat

— knowlengr (@knowlengr) December 18, 2014

Underwood also predicts that more executives will see the value in involving HR in the security process and training as they realize that, first and foremost, security is about people's behavior and tendencies:

A1 Predicting lots discourse around Sony incident with few wholesale #compsec change. Should impact training, HR but so unglamorous #grcchat

— knowlengr (@knowlengr) December 18, 2014

@ITCompliance A3 Predict #GRC professionals will want more input in business decisions in wake of breaches http://t.co/w7yPCj1kXO #GRCChat

— RachelTT (@RachelatTT) December 18, 2014

GRC and security pros are itching to pull up a seat at the table -- and rightly so, as organizations recognize that security is vital to the bottom line. Security won't just be baked into HR and employee training, Lebeaux predicts, but also other business and IT processes.

Participant Dan Sanders was more conservative in his enterprise GRC predictions for this year, arguing that the myriad security viewpoints from businesses, the government and law enforcement might amount to a standstill, not a catalyst:

@ITCompliance A3 I expect more muddied water btw biz, gov, and law enforcement. Too many diff opinions, and no impetus to change #grcchat

— Dan Sanders (@dansanders) December 18, 2014

@RachelatTT We've had big hacks for years - and still have them. No impetus yet, it seems. :-) #grcchat (maybe hacked is the New Normal?)

— Dan Sanders (@dansanders) December 18, 2014

@Fran_S_TT @ITCompliance Nope; IMO we have a Culture of Trendy Opposition. (that's for another discussion) #grcchat

— Dan Sanders (@dansanders) December 18, 2014

Prediction: Continued lack of transparency about breach causes & remediation actions. More CYA than > @softwareqc #grcchat

— knowlengr (@knowlengr) December 18, 2014

"Trendy opposition" or not, perhaps Sanders has a point: Cyberattacks, particularly of a financial nature, are happening so frequently that some companies now barely wince when they occur (unless they are the target). But despite this desensitization, "the boundaries of cybercrime and cyberespionage, whether it's a for-profit motive or a reputational motive, are changing," said Rob Roy, federal chief technology officer for HP Enterprise Security.

Enterprises can't be lackadaisical in their cybersecurity preparation or response. The new year could be their chance to take the first step in facing these attacks head on, starting with greater transparency between organizations and with law enforcement, as Underwood suggests.

What's your enterprise GRC and security forecast for 2015? Please sound off in the comments section below.