The State of GRC in 2019: Seven Predictions for the Year Ahead

2019 ai

Written by: Matt Kunkel

Reviewed by:
Updated: May 01, 2023

Table of contents

From the GDPR finally taking effect in May to the Marriott data breach in November, 2018 kept risk managers on their toes.

Of course, many industry observers weren’t too surprised. New regulations have been in the offing for some time, and large-scale data breaches have become the norm (though they’ve certainly gotten more severe).

As companies continue to collect enormous volumes of personal data, the weight of responsibility on security teams only grows heavier every year. What was surprising was that, finally, some companies were held to account for failing to live up to this responsibility—just ask Mark Zuckerberg.

All of which brings us to the year ahead. The pace of change and headline-grabbing stories are sure to continue unabated, but are there other twists and turns that we might need to be ready for in 2019?

Let’s take a look at what GRC professionals can expect.

1) More Megabreaches

At the beginning of 2018, the world was still reeling in the aftermath of the Equifax data breach. Looking back, the Equifax ordeal can be seen as something of a bellwether for the megabreaches of 2018—in fact, they seemed to be in the headlines month after month. Victims included Facebook, Google, Quora, and Marriott, considered the biggest ever. The lawsuits and legal fallout from each will extend throughout this year and beyond.

Expect more of the same in 2019. While we continue to gain a deeper understanding of the importance (and implications) of data backup and security, the breaches and data-hacking strategies likewise grow more sophisticated. This shows no signs of stopping, which could result in far more destructive and pinpointed breaches. Of course, companies know this, and will invest billions in training and awareness. It won’t be enough for an unlucky few, and megabreaches will continue to make headlines.

2) Industries in the Crosshairs

There won’t be much shift in which industries are at risk, but scrutiny will intensify as certain industries become increasingly vulnerable. Public utilities hold petabytes of customer data, and the potential for misuse is great. Breaches of ethics and outright abuse could blow up into a major scandal. Utility providers are no stranger to data breaches, cyberattacks, and irresponsible data protection, but the potential for real harm grows every year. Meanwhile healthcare will be the fastest growing sector for cybersecurity vendors overall, but they’ll also remain targets for breaches. Legal and financial services won’t lag far behind.

3) The Evolving Role of Individuals

In 2019, expect hackers to attack specific individuals—not just companies. As interconnected home gadgets and the Internet of Things proliferate, so too will the ways that attackers can gain access to personal data. Powerful corporate executives could become targets for such attacks, putting sensitive company and personal data at risk. CEOs and high net worth individuals aren’t the only ones in jeopardy, however. Coordinated cyberattacks on vulnerable home networks and devices could lead to large-scale thefts of credit card, banking, and even biometric information, via health-monitoring devices.

At lower rungs on the corporate ladder, expect to see businesses devote more resources and energy to enhanced employee cybersecurity training and awareness. Despite their efforts, the cybersecurity “skills gap” will continue to widen as job descriptions continue to exceed the reach of many professionals’ ability to perform them.

4) GDPR Will Bare Its Fangs

Though the General Data Protection Regulation (GDPR) went into effect in May of 2018, regulators have yet to drop the hammer on a company found noncompliant. The full consequences are fairly extreme (up to $23 million or 4% of global revenue, whichever is higher), but fines doled out so far have been minor and sporadic. In 2019, don’t be surprised to see a company (or companies) held up as an example and made to feel the full force of the law. Given that a mere 36% of global security decision makers feel that their firms fully comply with GDPR’s rules, it’s only a matter of when.

5) Preparing for a Stateside GDPR

The United States may not appoint a much-needed Cybersecurity Czar at the federal level, but new state laws are in the works which should play a similar role here as the GDPR does in the EU. Most notably, the California Data Privacy Law goes into effect in January 2020 and companies will spend the year getting their ducks in a row. Meanwhile New York is reportedly developing more comprehensive data laws of its own to complement the NYDFS Cybersecurity Regulation (which only covers financial institutions), adding to the global gauntlet of data compliance laws that companies must learn to navigate.

6) A Widening Web of Responsibility

As stories like those of PG&E and Saks Fifth Avenue illustrate, companies are finally starting to understand that their data-security responsibilities don’t end with their own systems and employees. In 2019 they’ll increasingly be held liable for security lapses caused by their networks of third-party vendors and supply chains. They’d be wise to start thinking holistically about these extended ecosystems, and incorporate them into their GRC processes as if they were their own divisions. Lawsuits, reputational damage, and millions in lost business are at stake.

7) Spending, Spending, Spending

Preparing for new laws, staying compliant with existing ones, integrating new technologies, hiring cybersecurity pros—it all adds up to billions of dollars. The total worldwide investment in Information Security topped $114 billion in 2018, and Gartner predicts that figure to reach $124 billion in 2019, an increase of 8.7%.

Are You Ready?

2019 is sure to bring its own share of headlines, and if one thing is for sure, you don’t want your company to join the growing list of breach victims. LogicGate’s IT Risk Management platform is a robust, scalable system that automates risk management processes across your organization. Implementing a tool such as LogicGate can help your IT Security team manage critical assets, define potential risks, assess threat levels, and put processes and controls in place to mitigate those risks and threats. LogicGate empowers your organization to prepare for and protect against data breaches, ultimately reducing potential risks and costs, and enabling your business to focus on business.

For more on IT Risk Management, check out LogicGate's eBook below on Building a Cyber-Savvy Culture: A Guide to Unlocking the Power of IT Security as a Business Enabler.

Download eBook



Related Posts