No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Making Anticipatory Compliance Your New Best Practice

Thinking Outside the Box to Harden Security and Privacy Practices

by Tom Garrubba
October 4, 2019
in Data Privacy, Featured
businessman on building rooftop shielding his eyes and looking at the horizon

Security professionals wake every day to more and increasingly savvy data perpetrators who’ve found new and uncharted means to acquiring data. Shared Assessments’ Tom Garrubba explains why anticipatory compliance is a key way to address this issue.

As sure as the sun rises in the east and sets in the west, organizations will continue to battle both new and long-standing cyber threats. Attempts to penetrate and disrupt the environment consist of phishing (including “whale-phishing” targeting executives), vishing (i.e., voice phishing) or other means – such as clickbait – to trick users into unknowingly installing malware and ransomware. And most cyber professionals will confirm that they always seem to be in reactionary mode rather than being proactive.

Too many organizations are faced with monetary losses, reputational damage and other impacts from these threats. And many more find themselves unprepared to meet the compliance requirements of legislation such as the California Consumer Privacy Act (CCPA) and the California IoT law, formally known as California Senate Bill 327, which mandates that all connected devices sold in the state include “a reasonable security feature or features” that protect consumers and their data from unauthorized access, modification or disclosure. Both the CCPA and the C-IoT law take effect January 1, 2020.

How to Shift From Reactionary to Proactive Mode

It’s important for cyber professionals to continue to sharpen their tools and to rethink “outside the box” to proactively discover the initially unseen ways for data perps to gain access to confidential data and cause havoc and to collectively document and make known the defensive strategies.

For years, I have been preaching that organizations embrace and practice what is termed anticipatory compliance – not only from the compliance lens, but also from the lenses of security, privacy and legislation. It begins with the understanding that data compliance professionals residing in such groups as IT security, privacy, compliance and legal can no longer work in silos; they must share their strategies and knowledge with other business units to help ensure protection and proper handling of data within the organization.

Former U.S. Attorney John Ashcroft championed anticipatory compliance years ago. During a conference in which Ashcroft spoke as the keynote, he focused on cyber espionage – along with terrorism and homeland security – then delivered a striking prediction: Institutions will need to prepare for “anticipatory compliance.” In other words, organizations will need to be prepared to show that they are actively anticipating, studying and acting on perceived potential threats.

Regardless of the industry and whether the organization is in possession of personally identifiable data, this approach makes sense.

Building Resilience

Anticipatory compliance has been defined as “a proactive approach whereby risk professionals, cyber staff and other stakeholders together identify and mitigate risk within the organization and implement best practices both within the organization and among partners to anticipate and meet regulatory, security and business continuity objectives. It also requires applying best practices among partners and across the external landscape to support business continuity, compliance and security.”

With the proliferation of insider and external threats, sharing information helps all parties anticipate and prepare for threats on the horizon. Are there plans for moving support or data storage for a critical system to a location that tends to be hit by hurricanes or typhoons or perhaps to a location with a history of political instability in the region? Is there any proposed legislation or regulation working through state, federal or international agency hallways that may force us to alter the way we do business or handle data (such as GDPR or the CCPA, for example)? Are there any consolidation trends within key support verticals, and how might they affect internal and partner relationships? These examples of non-cyber threats need serious consideration along with the typical cyber threat horizon – and a formalized process established to address them. That’s the core of anticipatory compliance. Anticipating such threats and establishing resilience and contingency plans helps ensure that were they to occur, their impact wouldn’t be seismic.

To enact anticipatory compliance within an organization, the focus should be on a structured, programmatic approach, including the methodology in anticipating new threats; establishing documented policies, procedures, standards and practices on how to deal with them; and how to circulate your threat discoveries to the appropriate organizations and personnel. Additionally, note that such an evolving program demands fluidity and robustness.

The same can be said about continuous evaluation of your third parties and anticipatory compliance.

Such unexpected events can cause major disruptions not just to organizations, but also to third-party service providers – and ultimately to the consumers relying on the products and services you provide. Moreover, you should inquire with your third-party vendors on how they are anticipating the threat horizon. Are they monitoring, charting and providing analysis to risks that may be affecting their infrastructure systems along with the key systems and processes that affect your organization and your customers?

Looking Ahead

As organizations continuously move ahead at full speed to hit required service levels, they may not be taking the necessary time to gather and review information appearing on the threat horizon. When this occurs, they become locked into reactionary mode and wind up fighting fires, making it increasingly difficult to find the time to analyze the threat horizon. And when such time does become available, their resources are all too often pulled right back into the fray to fight the next blaze. In this way, perceptions of advancing threats become an afterthought, rather than part of the planning process. One can put all the tools and techniques in place, but all it takes is one email phish attempt, clicked link or download to put your entire organization in jeopardy.

It really is a joint effort between the information security team, the business units and other second-line support (such as compliance, privacy and legal), to help promulgate what they’ve learned from the threat horizon. It is also imperative that the information security team drive the required changes to protect the organization along with help to educate employees in awareness of these oncoming threats so as not be lured into the bait from a data perpetrator.

As we continue to keep our eyes and ears monitoring the known threat horizon, we must make it paramount that we also keep our minds open to the new and crafty methods data perpetrators are moving toward and experimenting with to mitigate the risk of a compromise to our own organizations.


Tags: California Consumer Privacy Act (CCPA)Reputation Risk
Previous Post

Organizations Are Unprepared for the Inherent Risks Associated with Spreadsheets

Next Post

It’s Not Personal: 5 Ways Employers Can Avoid Claims of Workplace Retaliation

Tom Garrubba

Tom Garrubba

Tom Garrubba is Senior Director and CISO at Shared Assessments. Tom is an experienced professional in IT risk and information controls, most recently in developing, maintaining and consulting on third-party risk (TPR) programs for Fortune 100 companies. He is an internationally recognized subject matter expert and top-rated speaker on third-party risk.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

parametric insurance esg

Exploring Parametric Insurance as an ESG Authentication Tool

by Nir Kossovsky and Denise Williamee
November 9, 2022

Parametric insurance, which has long been popular in disaster recovery, is gaining steam as a proxy for proving the effectiveness...

trade secrets

Inside Job: How Businesses Can Protect Valuable Trade Secrets

by María Amelia Calaf
October 5, 2022

A relatively new law (the Defend Trade Secrets Act) aims to give businesses a legal framework to fight against theft...

Next Post
illustration of yellow whistle on blue background

It’s Not Personal: 5 Ways Employers Can Avoid Claims of Workplace Retaliation

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT