In the last few years, the InfoSec Compliance industry has evolved due to a combination of new ways of working, the growing trend of digitalization, and the continuously rising bar of standards and regulations. Going forward, several upcoming trends will further impact the security Compliance landscape. Based on deep expertise and extensive analysis of industry drivers, we at anecdotes have compiled a short list of the Compliance trends for 2023 we see as being the most impactful on a GRC leader’s day-to-day workflow and the Compliance ecosystem in general.
The latest IBM 2022 Cost of a Data Breach Report revealed that nearly 20% of organizations were breached due to a software supply chain compromise. On September 14, 2022, the Office of Management and Budget (OMB) issued memo M-22-18 requiring federal agencies to comply with rules to ensure their third-party software meets secure software development practices. The goal is widespread adoption of the Executive Order (EO) to help prevent the next massive cyberattack on the global supply chain. While we at anecdotes have not yet seen the expected adoption levels achieved, we note that the preparation is underway. The market has seen an increase in vendors supporting supply chain security, including software bill of materials (SBOM), a key component in software security and software supply chain risk management. However, we believe that for open-source software management to gain the desired traction within the supply chain, the government must clarify the purpose of the output, and the guidance must be practical and usable by Engineering. Although, as deadlines loom, we expect more companies to be spurred into action.
The Security Compliance industry is in dire need of more people to fill key roles. According to the (ISC)2 Cybersecurity Workforce Study 2022, there is a global cybersecurity workforce gap of 3.4 million people. This study is corroborated by ISACA’s State of Cybersecurity 2022 survey report, which finds that organizations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. 63% of respondents report unfilled cybersecurity positions, and 20% say it takes more than six months to find qualified cybersecurity candidates for open positions. The pool of available talent often pivots from other roles – Customer Success, Sales, or DevOps – and therefore lacks the technical or regulatory experience necessary for security Compliance.
The primary skills gaps noted for today’s cybersecurity professionals are:
This workforce gap and complexities in hiring the right people jeopardize organizations’ ability to perform risk assessments, oversight, and critical systems patching. We see an opportunity in 2023 to prioritize Security Compliance within the organization and backfill these roles.
The US state privacy landscape is booming. In 2022, lawmakers in 29 states and the District of Columbia introduced or carried over data privacy bills. Several states have privacy laws – such as California Consumer Privacy Act (CCPA) -- as well as an effort on the federal level like the American Data Privacy and Protection Act (ADPPA) that is expected to be enacted in 2023. These state privacy laws will pave the way for class action lawsuits against any business or organization that collects consumer data. With this type of visibility, it’s no wonder that Boards have been increasingly focused on privacy concerns, especially in light of the legal liabilities and penalties companies will face in case of a breach with privacy implications. The financial and reputational hit is too severe to ignore. However, in the absence of standards and audits, we believe the secret sauce is privacy plus third-party risk so companies can prove to their customers that their user data is safe.
From highly-visible breaches of enterprises to the fall from grace of previously untouchable crypto companies, we note an increased distrust in the Security Compliance field of both B2B and B2C markets. Forrester predicts that by the end of 2023, consumers’ trust in tech companies will shrink 15%. Frameworks like ISACA’s Digital Trust and Regulations and laws – such as the Digital Operational Resilience Act (DORA) in the UK -- are focused on bringing digital trust to the forefront by ensuring companies are resilient to operational disruption. We feel resilience is hard to achieve and expensive, and we question whether consumer behavior will change if organizations experience resilience challenges. All in all, as one of the top 2023 Compliance trends, we see trust gained and trust lost. The exact balance of the scale remains to be seen.
Compliance in 2023 will see complex security and privacy regulations and frameworks become simplified. In recent years, there has been a reduction in some of the requirements from ISO 27001, PCI DSS 4.0, and CIS v8 to be more streamlined, more simple, and more concise. In addition, the EU Commission has introduced the Cyber Resilience Act (CRA) to safeguard consumers and businesses buying or using products or software with a digital component. The Act introduces mandatory cybersecurity requirements for manufacturers and retailers of such products and extends this protection throughout the product lifecycle. All of these changes streamline information, privacy, and data to make the path to Compliance in 2023 smoother for organizations. We hope to see risk-based federal regulations put into place that would apply to industries and technologies everywhere. Therefore, regulatory Compliance trends in 2023 will push us towards a simpler process while still remaining as thorough as it is now.
If you’re trying to enhance your Compliance posture in 2023, anecdotes’ top Compliance industry trend picks are an excellent, effective way to start. Whether it’s open-source software management, Security Compliance staff augmentation, Board focus on privacy, company emphasis on digital trust, or an overall streamlining of Compliance initiatives, these trends in Compliance can each be addressed through automation.
Visit us at anecdotes.ai to learn more about where governance, risk, and Compliance trends in 2023 are headed and how you can leverage data and AI in GRC to automate, manage, and mature your Compliance program in 2023 and beyond.