Webinar Recap: 2020 Risk Trends and Predictions
A New Year is days away, and it also marks a new decade. If the 2020s are anything like the 2010s, we can expect plenty of risk of varying types.
For a closer, more accurate reading on what we can expect in 2020, we brought together three risk management experts to share their crystal ball views. You can view the webinar recording here.
Our expert panelists included Laura Clark Fey, a privacy law specialist with Fey LLC, Bob Maley, Chief Security Officer with NormShield, and Adam Montville, The Center for Internet Security’s Chief Product Architect. Sam Abadir, Director of Industry Solutions, with Lockpath, a NAVEX Global Company, served as the moderator.
Here are a few highlights from the webinar that featured a Q&A with the panelists.
What is your top risk from 2019?
Maley deals with cyber and third-party risk daily and has a front seat on what’s happening. He notes the increase in data available to hackers from phones and websites. It’s led many to make processes more complicated by checking all the boxes, but it’s not that effective. A new trend is emerging from the desire for more effective risk management.
“In the last quarter, we’ve seen a trend toward quantitative over qualitative risk analysis,” said Maley. “We’re compelled to understand what the real risk is as opposed to looking at nice, colorful heat maps that don’t really tell us anything.”
Montville sees two related trends emerging from 2019. One is the establishment of vendor ecosystems and alliances to address issues and worry about standardization later. The second is enterprises moving away from long, drawn-out waterfall processes to a more effective DevOps model with governance as code.
Clark Fey’s top risk for 2019 is data privacy proliferation and the prospect for class action lawsuits. She remarks that over 80 countries have data privacy laws and regulators are increasingly comfortable with high dollar fines. She also cites a study showing general counsel’s concern that data privacy will be the next big wave of class action lawsuits.
What will the data privacy landscape look like in 2020?
Clark Fey sees data privacy laws increasing in number and complexity and cites 3,600 bills involving data privacy around the world. In the US, all eyes will be on state attorney generals as no federal data privacy law exists.
“I’m not hopeful we’ll see a federal data privacy law anytime soon,” said Clark Fey. “Given the number of laws to comply with, we see many organizations taking a principle-based approach to data privacy.”
According to Maley, the data privacy landscape is complicated by the growth in outsourcing and the data responsibility with third party, fourth party, even sixth party. One tactic is complying with the strictest data privacy regulation, believing it will comply with other data privacy regulations.
Montville sees the privacy vs. security debate heating up, especially in the context of encryption. He believes a global issue like data privacy deserves a global solution, citing the example of TLS 1.3 and the movement to more automated, ecosystem-type solutions.
How can companies better protect their organizations in 2020?
Montville believes there will be opportunities in 2020 to simplify information security requirements. Organizations need security programs that go from policy to implementation quickly and consistently.
“I think companies need to do everything they can to ensure that security controls are built directly into the tools they leverage, as well as [have tools that] communicate with other tools,” said Montville.
Clark Fey sees value in understanding your data flow through the organization and the data lifecycle. You must know where data resides at every stage, from where it comes from and where it is going to data’s different uses and purposes. It’s a process that’s challenging and often comes with big surprises but well worth the effort.
Maley says there are limited funds and people to do all the work protecting the organization. When it’s hundreds or thousands of third parties, make it manageable by determining which ones present the greatest risk. It’s a better value than overspending on tools and controls.
How can companies better quantify risk?
Maley sees companies starting from the wrong perspective with managing risk. It’s not so much about inherent risk and controls. It’s more about understanding the financial impact from risk by reviewing the quantitative aspects.
Montville’s response to quantifying risk is systematic interoperability. It exists between disparate tools. He asks, “How can we ensure results from one tool or ecosystem are correctly interpreted by others?” When information is trusted, there is more positive, objective control over the analysis.
Clark Fey starts with identifying risk to the organization. She believes in the importance of gaining buy-in from executives and knowing the company’s industry. Clark Fey also looks at company practices and statements about data privacy and protection.
What is your top prediction for 2020?
Clark Fey recalls her earlier point about a lack of a US federal standard for data privacy and states acting on their own as her top prediction. 2020 will also be the year that a nation sponsored hacking event captures international attention.
Maley believes things will get worse before they get better in 2020. His recommendation is organizations need to think more like hackers to help prevent cyberattacks.
Montville forecasts a continuation of ransomware to the degree that it forces simplification of security programs and possibly shifts toward systematic interoperability. Also, ransomware is shifting to include a threat of public disclosure of information.
Our thanks to Laura Clark Fey, Bob Maley, and Adam Montville for their panel participation and for sharing their expertise on 2020 risk trends and predictions. For more insights, watch the webinar recording.
While the coronavirus has dominated news cycles, other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.
We see a trend that would unify compliance and risk management under the same umbrella and help address the new risk landscape. It’s a principled, ethical approach to governance. Good governance guides organizations to do the right thing.
UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR. Learn SMCR’s major requirements, top challenges, and best practices for compliance.