Protiviti Experts Share Their Predictions
Recently, Tech Insights interviewed a number of Protiviti’s Technology Consulting leaders to get their thoughts on the “hot topics” on which CIOs and CISOs should focus in the year ahead. These insights are based on the conversations our experts have had with tech leaders throughout 2020. Our 2021 Tech Priorities series continues through January. Today, we look at what tech leaders must consider when managing security and privacy tools in 2021.
In December 2020, news broke about a massive cyberattack on the U.S. government, which – given the nature of the threat and its potential impact on many industries outside of federal agencies and the public sector – is likely to have a sweeping impact around the world for much of 2021. This compromise vividly illustrates the need for organizations to be hyper-vigilant going forward, protecting both systems and the valuable data housed within those platforms. While data security and privacy had been garnering more attention in 2020, thanks in great part to the COVID-19 pandemic, 2021 will be a key year for tech leaders to emphasize the criticality of protecting their organization’s “crown jewels.”
Between the push for digital transformation and the increased focus on regulatory concerns, companies adopting new operating models and technologies have introduced security and privacy risks into their ecosystems. While the incredible amounts of data organizations store and govern are a tremendous source of business information, rising regulatory activity activity has also become a significant factor in effective data management. Add to this the growing risk of cyberattacks and consumer demands for privacy protection and the need for vigilance rises to the top of everyone’s “must do” list. So, which areas should be considered first?
Too Many Tools
While significant data breaches raise awareness of the need for improved security and privacy practices, one of the biggest challenges to having an effective approach is simply having too many tools in the technology stack.
“On average, enterprises currently operate 75 separate security tools, creating a complex model which introduces operating risks for future privacy and security sustainment,” said Terry Jost, managing director and global lead for Protiviti’s security and privacy segment. “The quantity of tools results from the necessity to provide protection from an increasing number of cyber and privacy threats. We expect companies to reengineer their current automated systems and models with heavy consolidation of tools and fewer tool vendors, creating a more sustainable and predictable solution to manage these threats.”
Enrico Ferretti, managing director of technology consulting, Protiviti Italy, agreed. “It is not only a matter of how many resources a company concentrates on cyber security, but also how those resources are used and whether those tools are the most effective.
Very often, I see companies invest in technologies but they do not get the right benefit because they do not use them in the best way.” He added, “One of the main goals for CIOs and CISOs in 2021 is to make their cyber security approach effective in all three phases: prevention, detection and response. Too often, we see organizations focus on preventive measures, not paying enough attention to incident detection and response processes and technologies. Then, they discover an incident several weeks or months after it has happened, when they have lost their data and cannot mitigate the effect any longer.”
Use Cases and Zero Trust
Reviewing use cases is the most effective way to determine how to get the right tools and processes in place, said Manisha Agarwal-Shah, who leads Protiviti’s privacy practice.
“Often, clients ask, ‘I have these three or four technologies in-house. Help me understand how I can use these efficiently today to meet my privacy obligations?’,” said Shah. “In 2021, for the frugal organization, it is important to evaluate all the different use cases you want to meet your privacy needs. We encourage clients to ask themselves, ‘how do we implement our existing technology to meet our objectives? Which available technologies provide that service, and how well can it actually be achieved?’ An organization might realize that 80% of those use cases are being adequately met, based on its current stack.” She added that how an organization will govern, or manage, its data is also a critical concern. In 2021, “making executive decisions around what type of technology is needed today versus just focusing on the most cost-effective solution that’s available will be important,” she said. “Tech leaders want to make sound decisions, not just cost-saving decisions.”
The alignment of existing or new technologies with legally required and documented processes and protocols for managing and protecting user data often creates disconnects among business, IT and legal stakeholders; how does technology facilitate the operationalization and compliance obligations in a way that supports business imperatives without sacrificing critical governance mandates? “People, process and technology must function coherently and transparently,” said Joel Wuesthoff, managing director of Robert Half Legal’s privacy consulting practice, as regulators “will not give a free pass to companies whose compliance obligations are met only to the extent of the specific features and functionalities of their technology platforms.”
Curt Dalton, managing director and Technology Consulting innovation leader, added, “a prevalent trend is to utilize zero trust architectures and approaches that shift protections closer to the data that we need to protect. An example of shifting protections closer to the data is zero trust. Zero trust is about applying context to make risk-based decisions. Having that context allows leaders to make better risk-decisions. We’ll see an uptick in organizations asking for and taking steps towards zero trust, building zero trust within their environments. It’s all about protecting the data and leveraging more context to be able to make those decisions about how to protect the data the best they can.”
Ferretti agreed: “Due to the increase of untrusted media and devices used to access and treat company data, we will see a growing adoption of zero-trust architecture approaches binding many security measures to users and data and accepting that infrastructure and devices might be unsecure, like the ones that are used for remote working, which is so popular today. Data classification and protection and strong authentication technology will be much more pervasive. To improve incident detection and response capabilities, security and monitoring technologies will see wider adoption, especially those with integrated advanced features such as intelligent correlation and ATP.”
Automation to Increase Sustainable Productivity
Ferretti believes the “cloudification” of data subject rights and increasing awareness of those rights are requiring more resources for companies to deal with customers and other stakeholders for privacy matters. “In 2021, the automation of such processes will be a key element to keep these processes sustainable,” he said. “In addition, all the measures the regulators are asking companies to implement to control data transfers will require the implementation of further encryption and masking technologies to prevent and control data accesses.”
“We predict more companies will begin leveraging hyper–automation or moving automation from tasks to full scale processes,” said Jost. “The adoption of robotics technologies steps up to a new plateau this year; we predict the breadth of automation to reach higher in the enterprise and enable automation of business ecosystems.”
Companies “want to free up their resources to focus on running the business, not on backend compliance measures,” said Shah. “To operationalize compliance efforts without technology is very cumbersome,” she added. “We do see organizations pivoting to more of a managed service model. We recently worked with a client that just asked us to run backend processing for privacy requirements (PIAs, inventories, responding to DSARs) in 49-plus countries.”
Our 2021 Tech Priorities series continues through January. To date, we’ve taken a 30,000 foot view of what’s ahead in 2021 and reviewed the best tech investments for the coming year. Next, we will explore why introducing or expanding cloud will be critical for all organizations in 2021, followed by a tech leader’s view of the customer experience. To learn more about Protiviti’s Technology Consulting capabilities, contact us.