It’s hard to believe that we’ve already reached the last week of January in 2021. And though the year is starting off looking mightily similar to 2020, from a security and compliance standpoint so much has changed in the last 12 months and we see a lot of evolution in the year to come.
To that end, the Aptible team has some predictions for what’s to come in 2021 for GRC professionals, based on discussions with customers, prospects, partners, etc. If you are more of a visual or audio person, feel free to check out these predictions in our on-demand webinar. Or, keep reading for Aptible’s Top 3 GRC Predictions:
Prediction #1: Data Networks Decrease Vendor Risk
Discussing vendor risk management could be a webinar in itself (and, in fact, we do have several webinars on vendor risk, feel free to check them out at your leisure). But before we get into the “what” of the prediction, we’ll start with the “why” we believe it will come to pass.
What exists today:
The growth of cloud services over the past few years has brought more risk to vendors — not because the cloud services themselves are more risky, but because of the levels of interconnectedness between vendors. Start with cloud vendor A: they have 100 customers (probably more, but let’s keep the math easy). Each of those customers has another 100 customers, who have 100 customers, and some of those are also interconnected as well. Most or all of these customers don’t know how their data is linked with each secondary vendor, but they are. This played out very recently in the SolarWinds hack: many companies who were compromised were not direct customers of SolarWinds, but because they were customers of a vendor who was a customer of a vendor who was a customer of SolarWinds…..they were compromised.
There are regulations to help curb these risks. Privacy frameworks like GDPR help with this a bit, because every company publishes a list of subprocessors. If you’re bored on a Saturday night and want to map out the network of companies that are tangentially attached to your company in a 6 degrees of Kevin Bacon kind of way, you can do so. But most people don’t have the time to do that, and so when a data breach occurs, it’s tough to know the impact to your business. It's no longer just the direct ties that can affect you, but the second, third, and so on.
So what’s coming?
Imagine a vendor-customer network where all of the “links” are known. Each vendor and customer connection is logged, and everything that is currently hidden is now public. The opportunity for a technology-powered way to track vendor risk management across all of this is immensely interesting. Think of it as contact tracing, but for your data. If one company gets hacked, other companies would know their level of risk based on the traceability of that network. This would make vendor risk calculation much easier.
Now, you might think: “This is not a prediction. Vendor risk management already exists.” Yet what our prediction speaks to is not your standard vendor risk solution: it’s more similar to a social network of companies. Members can share documentation and security information with their direct customers, and each company can manage their own vendors. And without disclosing relationships, a member of this vendor network could get visibility into how many vendors they are connected to, and what their risk looks like as a function of that.
This facilitates benefits bi-drectionally: Vendors can build customer trust (by sharing what they are doing from a security perspective) and customers have a more direct way to ask questions about security (rather than just asking for a SOC 2 report). It’s all very cool and Frank does a much better job of explaining it at minute 21 if you’re interested :)
Prediction #2: Compliance automation reaches enlightenment
Compliance automation is most definitely a buzzword, and there’s a big spectrum of what it can mean. At Aptible, we talk about two groups of compliance automation:
- Dumb automation. This is where the most solutions are today: GRC software that integrates with software you’re already using on the outside, and this integration makes it marginally easier to perform manual tasks.
- Smart automation. Smart automation isn’t about integrating with external systems to help conduct manual work, but rather to automate the work that needs to be done.
An example of smart automation would be integrating with AWS directly, collecting data to demonstrate that you’re in conformance, logging it as evidence, and tying it back to the controls that you need to adhere to. So now, when you need to use it for an audit or because there’s an issue, ta-da! It’s there, and you didn’t have to go collect it. So although the dumb automations may make it easier to get the work done (or, at least, to remember to do it), the smart automations actually do the work for you.
According to this report from Coalfire, more and more companies are investing in compliance automation. Part of this is due to the growth in notoriously difficult compliance frameworks. Frameworks like HITRUST, FedRAMP, and others are notorious for being...well…..a nightmare. Automation holds a lot of potential to help organizations achieve these compliance goals without completely going off the deep end.
At Aptible, we’ve spoken to enough customers and prospects to confidently say that for B2B SaaS companies, there are 3 areas where compliance automation offers the greatest potential payback:
- Compliance evidence collection
- Continuous system analysis and control monitoring
- IaC and strong continuous integration (CI) and continuous delivery (CD) controls
Automating compliance processes definitely reduces time and stress during audit season, which is a huge benefit for Aptible customers. Beyond that, compliance automation helps organizations improve their overall GRC posture, reduce risk associated with human error, and get a single source of truth when it comes to their compliance program. Which leads us into our third GRC prediction.
Prediction #3: Platforms overtake point solutions
We’re going to see continued interest in platform adoption within the B2B SaaS space. Today, there are a lot of point solutions that can adequately manage a piece of the overall GRC puzzle, but it is often fragmented. The image below is a good representation of this. A lot of the security posture and information represented (as well as ability to interpret that information) is strewn across a number of different systems. We talk to a lot of companies that are using ten or more systems to collect logs, manage asset inventories, oversee workflows, manage vendors, and on and on. The biggest pain is that these systems do not talk to one another.
Most GRC companies today are building features and not platforms. At Aptible, we believe that the core data that powers your compliance program should all live in one place. We take a risk-based approach to identifying new controls.
Here’s an example of what fragmentation looks like in the real world. (Frank discusses at 4:30)
- A vulnerability is reported in one system (GitHub or the like) which surfaces a risk in how your system is built.
- You define a risk treatment to track it.
- Using one point solution, you document the risk .
- You track the risk treatment in a diff system (JIRA)
- To understand how this tied back to your assets, you might use Asset Panda or other asset management system
- Do you want to monitor what happens after — that you aren’t regressing? Probably have another system for doing that (some sort of security monitoring).
So there we have at least 4 (but probably more like 5) systems being used. In this reality, it is really hard to track whether you’re meeting your security controls and objectives, and almost impossible to communicate to stakeholders (customers and auditors).
All of these core pieces: assets you care about, vendors you’re using, policies you have in place and how it translates to security control, as well as the evidence you’re collecting — having them all in one system, connected together, means you can operate so much more effectively.
And so, there it is! Aptible’s top predictions for the GRC space in 2021. If you’re interested in checking out the full webinar, click here to access it. And if you’re interested in learning more about how Aptible Comply, our GRC software for B2B SaaS companies, can help you get ahead of these trends by automating your compliance program and understanding (and reducing) your vendor risk, please click here to schedule a demo with a member of our team.
Here’s wishing you a very safe, healthy, and compliant 2021.