Compliance

Security Compliance Trends for 2023

Kerwyn Velasco
January 11, 2023

In the last few years, the InfoSec Compliance industry has evolved due to a combination of new ways of working, the growing trend of digitalization, and the continuously rising bar of standards and regulations. Going forward, several upcoming trends will further impact the security Compliance landscape. Based on deep expertise and extensive analysis of industry drivers, we at anecdotes have compiled a short list of trends we see as being the most impactful on a Compliance leader’s day-to-day workflow and the Compliance ecosystem in general.

Trend 1:  Open-Source Software Management within the Supply Chain

The latest IBM 2022 Cost of a Data Breach Report revealed that nearly 20% of organizations were breached due to a software supply chain compromise. On September 14, 2022, the Office of Management and Budget (OMB) issued a memo requiring federal agencies to comply with rules to ensure that third-party software they use meets secure software development practices. The goal is widespread adoption of the Executive Order (EO) to help prevent the next massive cyberattack on the global supply chain. While we at anecdotes have not yet seen the expected adoption levels achieved, we note that the preparation is underway. The market has seen an increase in vendors that support supply chain security, including software bill of materials (SBOM), a key component in software security and software supply chain risk management. However, we believe that for open-source software management to gain the desired traction within the supply chain, the government must clarify the purpose of the output, and the guidance must be practical and usable by Engineering. Although, as deadlines loom, we expect more companies to be spurred into action.

Trend 2: Lack of Qualified Security Compliance Staff

The Security Compliance industry is in dire need of more people to fill key roles. According to the (ISC)2 Cybersecurity Workforce Study 2022, there is a global cybersecurity workforce gap of 3.4 million people. This study is corroborated by ISACA’s State of Cybersecurity 2022 survey report, which finds that organizations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. 63% of respondents report unfilled cybersecurity positions, and 20% say it takes more than six months to find qualified cybersecurity candidates for open positions. The pool of available talent often pivots from other roles – Customer Success, Sales, or DevOps – and therefore lacks either the technical or regulatory experience necessary for security compliance. The primary skills gaps noted for today’s cybersecurity professionals are soft skills (54%), cloud computing (52%), and security controls (34%). This workforce gap and complexities in hiring the right people jeopardize organizations’ ability to perform risk assessments, oversight, and critical systems patching. We see an opportunity in 2023 to prioritize Security Compliance within the organization and backfill these roles.

Trend 3: Fear-Based Focus on Privacy Concerns 

The US state privacy landscape is booming. In 2022, lawmakers in 29 states and the District of Columbia introduced or carried over data privacy bills. Several states have privacy laws – such as California Consumer Privacy Act (CCPA) -- as well as an effort on the federal level like the American Data Privacy and Protection Act (ADPPA) that is expected to be enacted in 2023. These privacy laws will pave the way for class action lawsuits against any business or organization that collects consumer data. With this type of visibility, it’s no wonder that Boards have been increasingly focused on privacy concerns, especially in light of the legal liabilities and penalties companies will face in case of a breach with privacy implications. The financial and reputational hit is too severe to ignore. However, in the absence of standards and audits, we believe the secret sauce is privacy plus third-party risk so companies can prove to their customers that their user data is safe.

Trend 4: Trust Gained, Trust Lost

From highly-visible breaches of enterprises to the fall from grace of previously untouchable crypto companies, we note an increased distrust in the Security Compliance field of both B2B and B2C markets. Forrester predicts that by the end of 2023, consumers’ trust in tech companies will shrink 15%. Frameworks like ISACA’s Digital Trust and Regulations and laws such as the Digital Operational Resilience Act (DORA) in the UK -- are focused on bringing digital trust to the forefront by ensuring companies are resilient to operational disruption. We feel resilience is hard to achieve and expensive, and we question whether consumer behavior will change if organizations experience resilience challenges. All in all, in 2023, we see trust gained and trust lost. The exact balance of the scale remains to be seen.

Trend 5: Streamlined Regulations Simplify the Path to Compliance

2023 will see complex security and privacy regulations and frameworks become simplified. In recent years, there has been a reduction in some of the requirements from ISO 27001, PCI DSS 4.0, and CIS v8 to be more streamlined, more simple, and more concise.  In addition, the EU Commission has introduced the Cyber Resilience Act (CRA) to safeguard consumers and businesses buying or using products or software with a digital component. The Act introduces mandatory cybersecurity requirements for manufacturers and retailers of such products and extends this protection throughout the product lifecycle. All of these changes streamline information, privacy, and data to make the path to Compliance smoother for organizations. We hope to see risk-based federal regulations put into place that would apply to industries and technologies everywhere.

If you’re trying to enhance your Compliance posture in 2023, our top Compliance trend picks are an excellent, effective way to start. Whether it’s open-source software management, Security Compliance staff augmentation, Board focus on privacy, company emphasis on digital trust, or an overall streamlining of Compliance initiatives, these trends can each be addressed through automation. 

Visit us at anecdotes.ai to learn more about where Compliance is headed and how you can leverage data to automate, manage and mature your Compliance program in 2023 and beyond.

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.