In the past year, we've had extensive conversations with dozens of our customers and partners from various industries. Here are the top three trends we've gathered based on what they've seen:
1) Mo' vendors, mo' data (and mo' problems) We figured music legend Christopher Wallace's paraphrased saying is an apt description of heightened expectations of safeguarding customer data and privacy, especially with the California Consumer Privacy Act (CCPA) in effect as of a few days ago. While the regulation targets large companies (i.e. those with annual gross revenue of at least $25 million), the mandates set out by the Act apply to smaller companies as well – specifically the requirements around vendors and partners' management of sensitive data.
Now more than ever, you need to periodically audit and monitor your vendors and partners' security and privacy practices. And if they haven't already, your vendors and partners should provide proof of data protection and privacy safeguards. They should also share with you reports and proof of certifications like SOC 2 and or ISO 27001 attesting to the security of their systems, controls, and policies.
2) Security and compliance is everyone's responsibility
Given the much greater emphasis on data and privacy protection from both consumers and regulators (thanks to Target, Equifax, Marriott, and all the organizations who couldn't be bothered to beef up their security practices), we see this year being the start of the "no excuses" approach to security: organizations will increasingly require that anyone looking to do business with them needs to walk the proverbial security walk.
What does that mean for you and your org?
Make knowledge sharing and collaboration about compliance and security activities a habit Ongoing security awareness training and a robust internal culture of "security first" are musts Conduct risk assessments every quarter to identify gaps and redundancies, and share the findings with everyone internally (literally everyone from accounting to sales) so that everyone understands what they can do to help
3) Leverage the right PPT fit for your org's needs
For SMBs like our customers, enterprise-grade security and compliance tools are no longer out of reach (or overkill, for that matter). From what our customers and partners have seen since 2017, security and compliance software tools for SMBs have greatly proliferated and have offerings addressing everything from intrusion detection to continuous vulnerability and compliance scanning. And ensuring the right people are assigned to using those tools and the well-thought out processes are created to support them will make those tools' adoption that much easier.
That's why it's even more important for you to thoroughly do due diligence on any compliance tool you're evaluating from both a risk assessment and an org fit standpoint. Why?
1) Make sure the tool actually solves the challenge(s) your org is facing, and solves those challenge(s) well (this is where both customer references and backchannel customer references come in handy) 2) You don't want to end up buying a tool that doesn't scale with your needs in one to two years. 3) While a tool may feature the latest tech and innovations, the company that offers the tool might not have longevity, let alone the right security practices. 4) Price isn't necessarily everything, especially if you're evaluating multiple tools for the same problem you're solving. Just because you're getting a steep discount from one vendor doesn't mean it's the best fit or deal (as the saying goes, you pay for what you get and there's a hidden reason why a tool is so cheap).