January 1 ushers in a new year, a new decade, and new challenges—as well as new dimensions and re-ordering of existing challenges.  Reciprocity’s Team of GRC Experts share likely developments, trends to watch out for, and how your organization can navigate Information Security Risk, & Compliance in 2020.  With foresight, an organization can proactively take steps to address the challenges of the future.

Our expert panel explores what’s coming:

1. Risk-based, Layered Approaches Eclipse One-dimensional Efforts

“Risk Management and Risk Assurance will overshadow other approaches to GRC as organizations satisfy operational needs”  – Gerard Scheitlin, Founder of RISQ Management

“While the requirements on information security, privacy, and compliance will only continue to expand and tighten, organizations are realizing that it is not technology or compliance that prevents financial or reputational harm. Rather, it is a combination of technology, systems, and governance that manages and reduces the organization’s overall exposure. The only way to encompass all of these areas is through a robust risk management system that provides a tiered approach to risk assurance.” In much the same way that information security applies “defense in depth” methodology for technology, effective risk assurance approaches layer prioritized technical, administrative, and governance defense mechanisms across the entire organization.


Gerard Scheitlin has over 35 years of experience in GRC across multiple industries. He is the founder of RISQ Management, a GRC implementation, services and consulting organization that specializes in custom tailored, client centered solutions.  



2. The GRC Landscape Develops and Expands

“Additional privacy laws and frameworks will continue to be released” – Alan Gouveia, GRC Expert 

 “More requirements will be introduced, and guidance will continue to evolve, which will further complicate the work that organizations will need to do to remain in compliance.”  As these numerous and often disparate requirements expand, how can organizations contend with expectations? With thorough controls and focused attention, says Gouveia. “The need for a comprehensive privacy control set to satisfy diverse requirements grows as demands expand. In 2020 and beyond, that need will become more urgent.”


Alan Gouveia has been working in the regulatory and IT compliance industry for over 20 years, across numerous industries.  



3. New Sources and Dimensions of Data Requirements Push Boundaries

 “Organizations will be overwhelmed by new requirements—from customers, as well as  regulators and governments—which will be compounded by a focus on supply chain/third party risk”  – David Driggers, Product Strategist at Reciprocity. 

“Organizations still grappling with the idea that those requirements come with very real financial consequences will be hit hard with the realization that obligations can’t be outsourced using contracts. Their responsibility for customer data doesn’t end at the border of their own infrastructure.” To be as efficient as possible in a resource-constrained environment, Driggers anticipates that scalable GRC processes, people, and technology will be key. “Looking forward, security posture will be further commoditized, eventually treated much like service level agreements today.” 


David Driggers is a GRC expert with over 20 years of experience delivering common sense cyber security solutions.  




4. Hazards of Noncompliance, Encountered the Hard Way

 “Bad data privacy policies and lack of processes will result in costly fines and loss of business for many organizations” – Dr. Maxine Henry, President of Cyvient 

As more legislators and regulators turn their attention to data privacy, more companies become potentially subject to financial penalties. And, with increased awareness of privacy issues in the marketplace, more consumers prioritize information security.  Organizations that do not recognize and mitigate their risk exposure will experience these negative outcomes. To avoid these pitfalls, Dr. Henry suggests, “Focus on the data. Do you have processes in place that protect data privacy? Can you document information security activities? If there is low-hanging fruit that will enable your organization to better demonstrate compliance, now is the time to take it.”


Dr. Maxine Henry is a global strategist and GRC consultant with over 30 years of experience in information technology. Dr. Henry specializes in cybersecurity, data privacy and protection, governance, risk and compliance.



5. Destinations and Roadmaps Begin to Overlap

“As additional data privacy laws are established, information security and GRC needs will continue to align with data privacy rules.” – Tricia Scherer, IT GRC Expert 

This prediction highlights the growing convergence among topics once treated separately.  As the discipline evolves, it becomes increasingly clear that InfoSec, data privacy, and GRC are interconnected and mutually reinforcing; actions necessary to achieve one objective are also needed for another. This overlap can be positive or negative for an organization. “Investments in InfoSec often benefit GRC and data privacy as well, and vice versa. On the other hand, unaddressed gaps can be damaging on multiple fronts.”


Tricia Scherer has 20 years of IT Consulting and GRC experience across a variety of industries with a specialization in Cybersecurity, Data Privacy, IT internal audit, and a multitude of regulatory frameworks. 


As the landscape continues to evolve, risk and privacy considerations are critical to charting a course to meet objectives.  An organization’s value proposition is not simply what product or service it provides, but how it operates and interacts with its customers, stakeholders, and team. Effective risk and data management is so vital that it may determine not only how fraught the journey is, but whether or not an organization reaches its destination. 

Reciprocity’s in-house team of experts are both leading thinkers on GRC and InfoSec, as well as, practitioners with extensive experience.  With Reciprocity’s expert guidance, organizations can prioritize and focus efforts on the most pressing challenges.