Last Updated on March 7, 2022
On a recent episode of The Virtual CISO Podcast, host John Verry shares his predictions for the 8 top trends that will impact the information security and privacy sectors in 2022.
John’s prediction #5 calls out the growing importance of security and privacy compliance for many businesses. As he frames it, “You will, in the not-too-distant future, use the term ‘our compliance officer’ or ‘our GRC platform.’”
Why are compliance and governance hot topics?
In John’s view, this increasing focus on governance, risk and compliance (GRC) stems from a fast-growing need to prove (not just assert) to regulators, customers, partners, shareholders, auditors and other stakeholders that your business is secure and in compliance with applicable security and privacy regulations.
“I fully understand that you can be compliant and not secure,” John concedes. “And, in theory, you can be secure and not compliant. But if we architect a cybersecurity program—an information security management system—well, then we should be able to get to a point where compliance does equal security. And whether or not it does or not, in any particular instance… If you’re going to need to prove that you’re secure and compliant to a third party, if you don’t have evidence and if you can’t prove that you’re complying with the controls that you’ve specified and that those controls are operating as intended, then you’re going to be in trouble.”
Compliance is all about evidence, and that evidence is good for a lot more than filling up cheap storage in some remote corner of your company. It’s a cornerstone of how you represent your security and privacy operations to the outside world. Especially if you don’t currently have a third-party cybersecurity attestation like an ISO 27001 certification or SOC 2 report, your compliance data is probably the best evidence you have of running a well-governed security and/or privacy program that does what you say it does.
The rise of “compliance as a service”
Along with a greater need to pay attention to cyber compliance in general, John also predicts a shift toward “compliance as a service” (CaaS) solutions.
“I think you’re going to see ‘compliance as a service’ offerings grow in popularity as well,” adds John. “Because while security isn’t compliance, it’s close enough that a) there’s a shortage [of potential staff] and b) the [salaries] in the compliance space are going up as well. So, leveraging a third-party service to help you manage compliance is increasingly a viable option.”
Similarly, a GRC platform, assuming it’s configured and used optimally, can greatly simplify the process of demonstrating security and compliance. For example, a GRC solution can simplify sharing evidence of your ISMS operations with auditors.
Ready to listen to all of John’s 2022 prognostications? Click here to listen to the podcast in its entirety.
Want to catch up on the latest compliance and governance trends? You’ll love this podcast with compliance thought leader Mosi Platt: EP#68 – Mosi Platt – Why Continuous Compliance Matters More than Ever