2018 Trends in Governance, Risk, & Compliance
Risk management practices have typically focused on looking backward to meet compliance needs instead of looking forward to making decisions based on business objectives. We’ve seen that practice turned on its ear of late due to a set of new realities driven by: (1) the European Union’s General Data Protection Regulation (GDPR), which creates present and future risk for private-sector handling of personally identifiable information; (2) a wave of cybersecurity breaches now threatening to become a tsunami, destroying company reputations and business models in its path; and (3) the rise of artificial intelligence and machine learning whose purpose is to give organizations insight into what’s ahead.
Sila sees the following specific trends making an impact this year and beyond.
A risk-based approach to GDPR compliance will provide a sustainable and repeatable model to enable organizations. The potential costs of GDPR-related fines and judgements, along with brand reputation impact, will cause organizations to rely more heavily on risk management practices. A risk-based approach to GDPR will provide quantifiable results allowing organizations to fully understand potential loss, prioritize compliance issues, and revise data management business practices.
Quantitative cybersecurity risk management will provide executives and board members with meaningful and actionable insight for making strategic decisions. With a rise in cybersecurity breaches and corresponding penalties and regulations, business executives have turned to risk management professionals to understand and reduce their company's risk profile. In the past, qualitative risk management was unable to provide discrete, defensible analysis. Organizations have responded by adopting new methodologies that have empowered executives to make informed, actionable business decisions to reduce their organization's risk.
Machine learning will provide support and insight to security analysts overseeing vulnerability management, enhancing the decision-making process for humans, and not replacing it. Rule-based engines for vulnerability management categorization and prioritization will need to be continually monitored, updated, refined, and managed by humans. A more robust approach would be to utilize machine learning instead of rule engines to continuously learn from the security analyst, based upon actions and metadata about the assets.