Top 3 predictions for 2018 – a year of change

By French Caldwell

MetricStream Chief Evangelist

French Caldwell, MetricStream

French Caldwell, MetricStream

In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.


Prediction 1:

Data controllers and others face surge in complaints

In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.

Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.

Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive.  To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.

Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.

Prediction 2:

The first €1million or more penalty under GDPR

In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.

While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.

The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.

While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.

The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

Prediction 3:

Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.

Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.

Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.

Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.

Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.


Most organizations unaware when employees violate policy and rules

From MetricStream press release

French Caldwell, MetricStream

French Caldwell, MetricStream

More than half of organizations (55 percent) can’t tell when their own employees violate company workplace rules and policies across the enterprise, according to a revealing survey by MetricStream.

The company, a developer of governance, risk, and compliance (GRC) apps and solutions, said the survey, “What Makes an Effective Policy Management Program?” paints a picture of how organizations create, manage, and communicate policies.

Other results from the survey:

While only about 1 in 4 organizations use policy management software, the benefits they enjoy are significant. Of these organizations:

  • 21 percent take less than a month to develop and publish a policy from scratch
  • 70 percent do not consider it challenging to author and distribute policies, or provide training
  • 60 percent encountered fewer than 50 policy violations in the last year

Policy management software eases policymaking

  • 80 percent of organizations using policy management software on a GRC platform take less than three months to author and publish policies, compared to only 55 percent of organizations using pure-play policy management software
  • 42 percent of organizations that require employees to attest to certain policies encountered less than 50 policy violations.
  • 59 percent of organizations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve.
  • The majority of organizations that use standardized policy templates (62 percent) take less than a quarter to develop and roll out a new policy.

French Caldwell, Chief Evangelist at MetricStream, said the survey shows automation and consistency work.

“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” Caldwell said.

Many organizations have written policies, but much more is required to ensure that those policies are adhered to across the enterprise. To build a pervasive culture of ethics and risk-intelligent behavior, organizations must ensure that their policies are communicated effectively and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations must be tracked and addressed proactively.

“Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programs,” Caldwell said, “or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimize compliance violations.”

To read the entire survey results, go here.



Q & A with French Caldwell, chief evangelist at MetricStream

French Caldwell

French Caldwell

A: How are companies failing to protect business continuity in their platform integration?

One of the biggest challenges we found in a recent MetricStream research survey is that companies aren’t looking at the impact of third parties on their business continuity planning. We found that over 50 percent include third-party risk management in their enterprise risk management, IT risk management, and compliance programs, but just 36 person included third-party risk management as part of their BCM program.

On the other hand, survey respondents ranked “disruption” due to third parties as one of their chief concerns. Considering that companies are so dependent on extended supply chains, IT service contractors, and cloud solutions, this concern over disruption is warranted. Yet, there appears to be this disconnect for the BCM organization and third party risk managers.

Three areas of concern

Q: What are three places where companies can improve their vendor risk management – ensuring vendors aren’t harming one’s company?

A: First, just creating a single source of truth for vendor profiles is a good start. You really can’t do vendor risk management if you don’t know who your vendors are. Often we see companies start a VRM program in response to a regulatory requirement, but then they realize, wow, now I know who my vendors are.

Second, it’s important to risk tier vendors. Most companies who get serious on VRM will create three risk tiers. The high risk vendors, which may just be 1 to 5% of vendors, then medium risk, maybe 10-20%, and then the low risk or tactical vendors. This is important to do, since it’s just impossible to do the same high degree of due diligence and continuous monitoring on all your vendors – especially for companies who have tens of thousands of them.

Third, as I mentioned, including third party risk management as part of the business continuity planning is important. BCM planners need to identify those vendors that could have the highest disruptive impact, and ensure they include them as part of their business impact analysis.

Falling short with cybersecurity

Q: Is cybersecurity attainable? Where are companies falling short with enterprise risk management programs?

A: Most CISOs are really not confident that their enterprises are safe from a cyberattack. And that concerns is justified. Financial services organizations are the most prepared, and yet in a resent MetricStream Research survey, we found that 37% of financial services organizations had faced over 10 cyberattacks in the previous year; 15% had faced 100 or more. That’s astounding.

As far as enterprise risk management, there is some good news. Most enterprises now consider cybersecurity an important element of enterprise risk management – more than 90 percent of the respondents to our survey of financial services organizations. We have also found that 59 percent of all enterprises include third-party risk management within their enterprise risk management program. Furthermore, according to MetricStream Research, the top two business drivers for investment in integrated GRC, are improving overall risk oversight (71 percent) and new business initiatives that are introducing new risks and regulations (58 percent). These results indicate that executives expect GRC not just to support better compliance, but also to contribute to an overall understanding of risks and their impacts on the business. Over the last 10 years, GRC has evolved from a tactical compliance investment to a strategic business investment.

Innovations to MetricStream’s M7 GRC Platform?

A: With the M7 Platform and Apps, MetricStream is the first GRC solution provider to bring consumer-like IT to GRC professionals. With user-centric design, we have shifted GRC software from being organization-centric to being people-centric. Why is this important? First, if you’re a GRC professional – an auditor, risk manager, compliance manager, or IT security professional, you spend much of your working day in front of a screen.

Difficult to navigate enterprise software with cluttered screens and rows and rows of input forms is not going to drive the greatest productivity for the business. Engaged employees deliver more value to their teams and their organizations – so by designing our new M7 GRC platform and apps to be user-centric, we are engaging the users. And not only is it more engaging and personalized, it is more easily configured to adapt to the users’ needs, it can be accessed through any device, freeing the user from their desk, and it provides exceptional analytics that provide better insights from the wealth of data in the app.

Secondly, if you’re not a GRC professional, but need occasional access to a GRC app, you shouldn’t have to learn how to use it – it should be intuitive and self-learning. In M7, we’ve done this through a consumer look and feel, and explanatory learning tiles that appear when you hover over items on the screen.

And, taking this even further, why should most employees have to access the GRC app at all? MetricStream’s M7 architecture enables what we call layering – we layer GRC into Salesforce for instance, so that a sales person doesn’t need to go to the GRC app to acknowledge policies for instance.

The bottom line is that by designing engaging user-centric GRC software, we make GRC professionals more productive, and for other employees, we don’t make them learn a whole new app, when all they may need to do is acknowledge a policy or access a report.


Can government be trusted with a company’s proprietary information?

By French Caldwell, chief evangelist, MetricStream

Special to GR & Fraud Software Journal

French Caldwell

French Caldwell

I thought the 2015 Office of Personnel Management breach was bad, but the recent National Security Agency hack was even more devastating.

In June 2015, OPM discovered that the background investigation records of current, former, and prospective Federal employees and contractors had been stolen, including the Social Security Numbers of 21.5 million individuals.

Worse, the stolen data included information on 1.8 million non-job applicants, primarily spouses or co-habitants of applicants. Add to that 5.6 million stolen fingerprints in the hands of financial criminals and you can say goodbye to many Americans’ security.

In recent weeks the United States has found itself in a cyber Cold War, a real-world “Hunt for Red October” in which American intelligence personnel skilled in cyber warfare and counter-cyber attacks troll for signs of enemy intrusion in government computer networks.

Bizarre new world

The bizarreness of it all became apparent in the presidential race, when hackers believed to be Russian broke into Democratic National Committee databases, making it a central point of contention between the Republican and Democratic presidential candidates.

Then the U.S. government warned that foreign hackers might even attempt to muddle voting results displayed in digital election records come November.

Then came perhaps the most serious breach of U.S. government networks thus far: Hackers in late August stole cyber warfare tools and hacking software designed and owned by the National Security Agency. The secrecy of the NSA’s cyber weapons are dear to its effectiveness.

Though foreign hacking isn’t the same as a nuclear submarine threatening America’s coastlines, the NSA hack means America’s entire library of hacking tools have probably fallen into the hands of our adversaries. What network can be safe?

Enemies selling NSA hack tools

Then last week, a group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.

As of now, all other national security agencies, including Britain’s Government Communications Headquarters, should be deemed vulnerable. If the NSA has been hacked, the chances are that it, too has become a victim, especially its fellow Five Eyes members – the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.

Forget the fact that many of the NSA files date back to 2013; there will be future ramifications. All national governments are pushing for increased collaboration with business, to tackle a very real cyber security threat, but incidents like this raise serious questions over the safety of co-operation.

Companies can’t trust government security

The 2016 Presidential Policy Directive — United States Cyber Incident Coordination plan calls for private companies that have suffered data theft of customer information to work to reveal what has been stolen and other proprietary information with the FBI and other federal government agencies to investigate the crime.


But why shouldn’t private corporations and smaller businesses be worried that governments can’t protect their own information? Private businesses are understandably skeptical when it comes to sharing their proprietary information when partnering with government in the aftermath of data breaches.

Why should businesses trust the government to protect their secrets when they can’t protect their own?

The federal government need to get its house in order first.

After all, how much sense does it make to put one’s proprietary data in a government safe for which the criminals already know the combination?


Cyber security directive unrealistic, GRC executive says

By John L. Guerra

Editor, GRC & Fraud Software Journal

French Caldwell

French Caldwell

The White House Cybersecurity Policy Directive, announced last month, is the federal government’s latest attempt to unify efforts among federal agencies, law enforcement and private businesses who have been hit by breech, data theft or other network-crippling event.

Tough issues prevent real collaboration among these arms: businesses are uncomfortable sharing proprietary information with the government and law enforcement and the idea of federal agencies leaping into effective action in the hours after an especially big breach is hard to imagine for executives.

The document does spell out the hierarchy of efforts within the Federal Government and especially close coordination between the public and private sectors. The directive also creates A Cyber Unified Coordination Group (UCG) that “coordinates response among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts,” the directive states.

The FBI is the lead federal agency for investigating criminal and national security hacks. The Department of Homeland Security has the baton in helping breached organizations reduce the impact of an event and prevent its spread. The Cyber Threat Intelligence Integration Center, or CTIIC, pools intelligence to help identify who directed an intrusion or attack.

But does the directive change anything?

We asked French Caldwell, chief evangelist of MetricStream, to weigh in on the directive.

Question: What does this mean for the private sector with federal contracts? Are they to comply with the directive if they use data from government servers in their contracts?

A: There’s nothing specific in the directive, but like other cybersecurity guidance, e.g., Federal Information Security Management Act, you should expect that any contractors, research universities, and others that are operating under federal contracts will be required to meet the same standards as the agencies with whom they are affiliated.

Q: Do you see anything that is unrealistic or ungainly in the directive?

A: Absolutely. The expectation that a unified coordination group (UCG), can be stood up following an attack is totally unrealistic. When we have a plane crash, we know the National Transportation Safety Board will investigate.

When we have a natural disaster, we know FEMA will respond. But in the case of a major cyberattack, we’re expected to respond with a sandlot, pick-up team. And only then, if two or more federal agencies agree.