Technology spending continues to grow, despite the challenges presented by recessions, inflation and an increasingly tense global environment. Corporations are being forced to evolve faster than ever before, adopting new technologies and processes both in response to heightened expectations around customer engagement, as well as new and evolving threats. This creates a confluence of factors that have regulators and the institutions they supervise racing to keep pace. The result is an increasingly stringent privacy regulatory burden that creates a continuous challenge for businesses striving to comply.
Protecting Employee and Customer Privacy
Privacy is at the heart of much of this activity, with over 130 jurisdictions across 30 countries enforcing privacy mandates globally. In Forrester’s Business Privacy Survey 2021, three of the top five challenges respondents face when protecting employee and customer privacy all involve fear: Fear of negative impact on employees (36%), fear of negative impact on the customer experience (35%) and fear of limiting innovation (33%).
Security and risk professionals face a daunting challenge as they attempt to comply with these regulations. Technology is moving so fast, and there are so many vendors, so many possible approaches, many organizations aren’t even able to put their thoughts into an RFP to select the best alternative. They simply don’t have a clear view of where the industry is going, and they are often unaware of how they can support their business’s strategic initiatives.
With 94% of enterprises using cloud services today, a key element of maintaining privacy is securing data in the cloud. There is a clear understanding across security and risk professionals that the status quo is not working, is not reducing risk and is not helping governance. One problem is that data touches so many areas of the business, securing it has many owners and no one owns it all. Is it a security problem for the cloud team, or should GRC be responsible? Depending on the organization, the answer is, too often, “maybe.”
As a result, the problem space is so amorphous that attempting to create an RFP is proving fruitless for many organizations. They just aren’t sure what they need or how to define it. For decades, the way to answer these questions was to put out lists of questions around specific capabilities in an effort to craft that definition. However, a recent Gartner Security and Identity Adoption Trends survey identified that 83% of organizations are pursuing a vendor consolidation strategy. This is due to a recognition that they have been over-buying and under-utilizing technology without realizing sufficient value from their purchases.
Vendors Need to Identify Solutions
Vendors must develop a more effective means of identifying the right solution to their problem. Starting these discussions around technical solutions must move to an understanding of the business justification for purchasing technology and away from deep, technical questionnaires to avoid overbuying and acquiring shelfware.
If vendors don’t change their approach, the buying pattern will continue to leave businesses exposed to risk. The siloed business units and application owners will not recognize the overlap, but the teams tasked with creating and then implementing policy decisions to support the business will. The result of the current process is ineffective evaluations, overbuying of technology, an expanding threat surface, and an expanding blast radius of issues when the implementations of these tools risk creating environments where a compromised identity/account or overly permissive access to accelerate tool integration allows an attacker to access large amounts of PII.