Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2021 eBook. You can download the full eBook here.
The shift to remote work resulting from the COVID pandemic has increased the scope of risk and thus broadened the area of responsibility for risk managers. In addition to complying with regulations, which continue to proliferate, risk is coming from more places than ever before. The work-from-home (WFH) environment offers new opportunities for data breaches, policy violations, audit failures, and third-party risk, just to name a few IT risks resulting from a remote workforce.
This high-risk environment is challenging for compliance and IT professionals, who will have to keep track of more areas of risk in this new WFH environment. Cyber attackers have seized this opportunity and significantly expanded their campaigns at a time when organizations are most vulnerable. It’s likely that the frequency of cyber-attacks, such as phishing attacks on remote workers and attacks on remote physical infrastructure, is likely to increase in 2021, as remote work continues and even becomes the norm for many companies.
In addition to increased threats to cybersecurity, the regulatory and risk-management environments are likely to shift next year, increasing the challenges for compliance officers, as recent regulatory changes come online:
- The recent California Privacy Rights Act (CPRA), expands data privacy rights in the California Consumer Privacy Act (CCPA). Other states are likely to follow.
- The Payment Card Industry (PCI) will be issuing a new version of its Data Security Standard (DSS) for credit and debit cards in 2021. PCI DSS 4.0 will update security rules for payments industry needs, support additional security measures, promote security as a continuous process, and enhance validation methods.
- NIST 800-53 rev. 5, published in September 2020, will be a good privacy framework option as organizations prepare for the many coming different privacy regulations.
The scope and complexity of cybersecurity risk and compliance will continue to increase as WFH becomes a semi-permanent condition, even after vaccines control the COVID-19 pandemic. As a result, compliance and IT functions will need to find new ways to collect and communicate risk data, prioritize risk, and incorporate inputs and outputs throughout the organization.
The landscape of business risk in 2021 will be more varied, dangerous, and prolific than in years past. The pandemic-induced remote-work environment will continue to prompt a significant number of IT-related risks, going far beyond what many compliance professionals may be used to.
IT Frameworks Manage and Communicate Risk Data
There are many different information security frameworks that compliance officers can adopt to help align the technical aspects and language of information security to compliance and business risk. Adopt a technology framework to translate information security into compliance issues; this will help compliance officers understand, measure, report on, and act to protect the organization from the heightened risks of a WFH environment. Risks are amplified by COVID and will continue to increase in the hybrid office environment after it goes away.
The NIST CSF framework is designed to help translate IT risk to business and compliance risk. Simplify and strengthen compliance and cybersecurity together by tackling them with a compliance-focused infosec strategy.
Steps Your Company Can Take
1. Join Forces with the IT Department
A progressive risk-based approach requires compliance and IT departments to work closely together. Compliance has likely already mapped compliance requirements to processes; now it’s time to map IT assets to software and software to processes, which will create a Rosetta Stone for translating information security metrics into business risk and compliance objectives – quantifiable metrics they can measure and report on.
2. Manage What Matters
Not all IT events, processes, and compliance objectives need the same investment in risk management. Work with IT, risk management, and business leadership to help understand what is most important, where your risk management efforts exist today and where you need to make adjustments for the right risk management approach.
3. Map Cybersecurity Risks to Controls and Operations
Map IT processes to business processes and objectives. These mappings can translate information security findings to business and compliance terms and impacts. Next, determine and clarify IT and compliance roles to clarify responsibilities for IT compliance and other security issues as they are identified.
4. Contextualize Risk Data to Support All Lines of Business
With a structure and flow of information in place between compliance and IT departments, you have an avenue to report and analyze cybersecurity data and efficiencies. It also becomes an easier task to report risk to different lines of business, such as legal, operations, and product development. Refer to the controls mapping to translate risk information to support and protect other lines of business.
The past year has demonstrated how interconnected and global risk really is. The landscape of business risk in 2021 will be more varied, dangerous, and prolific than in years past. The pandemic-induced remote-work environment will continue to prompt a significant number of information security risks, going far beyond what many compliance professionals may be used to ... and maybe far beyond what we can imagine.
On the other hand, if there were ever a good year to convince leadership and the board to prioritize risk-management initiatives, 2021 is it.