Imagine GRC in 2030: a Q&A with RegScale’s Travis Howerton
Published 08/06/2024
Originally published by RegScale.
Digital transformation, a raft of new state and federal regulations, and the exponential pace of change are quickly disrupting governance, risk, and compliance (GRC) processes for organizations and the CISOs who manage them. Big changes are ahead leading up to the year 2030 and beyond. We sat down with RegScale’s Co-Founder and CEO, Travis Howerton, to hear his thoughts, insights, and predictions for GRC in the 2030 world—and how you can prepare.
Q: What is happening now in the GRC space that will have a major impact on how organizations are governed and regulated in 2030?
A: Travis Howerton: There are three big trends in the GRC space that are changing things. Problem number one is the ephemeral nature of our IT infrastructure as everything becomes cloud native. If you think about it, most of these regulations were built for an old world, where everything was client-server based behind a firewall and relatively static. You could document it. You could harden it. In today’s world, workloads are ephemeral. They spin up and down and they move around, so they’re very much a moving target.
The second problem is the growing number of regulations—scope creep. It’s not enough to just hit one. It’s what I describe as the “cyber Oprah effect” where everybody gets a framework and the associated controls, and we’re all having to deal with that.
The third thing is that your scope is moving. Moore’s Law continues unabated, which means in 2030, you’re going to have to do it four to eight times faster. The thing I ask people is, “Are your staff and your GRC program equipped to handle a constantly moving target—at twice the scope at eight times the speed?” In fact, nobody is. Those are the trends that are breaking things.
In my view, everywhere you go, people are struggling with these same problems and having this pain. The question is what do you do about it to position for 2030? Because what we’ve always done isn’t going to work in that new environment.
Q: On the regulatory side, what rules and laws do you expect to be in full play by 2030 and how will it impact those tasked with GRC within their organizations?
A: Travis Howerton: I think you’re going to see an increase in the amount of attention from the Securities and Exchange Commission (SEC) on cyber report cards because it’s being viewed increasingly as a material risk to the business that needs to be disclosed—so people can make better investment choices. I think that trend will continue.
If you look at the nature of cyberspace today, we’ve enjoyed decades of relative peace. But that is rapidly changing. If you look at the Ukraine situation with Russia, the Middle East with Israel, what could happen soon with Taiwan and China—you can see the world is increasingly unstable. So, what you’re seeing now is a regulatory reaction to that. I expect to see more critical infrastructure mandates and reporting coming out of the U.S. This includes more things around business resiliency for critical infrastructure. You’re already seeing that with the Digital Operational Resilience Act (DORA) in Europe. I expect that to make its way back to the US the same way the General Data Protection Regulation (GDPR) did.
I think what you’re going to see is a pile-on effect. If the world’s getting more dangerous, cybersecurity is becoming a new war domain. You can move from cyber in the ephemeral world into cyber in the physical world—and weaponized. In March 2024, the U.S. government issued a warning about Volt Typhoon, a Chinese state-sponsored hacker group, about the group’s penetrations targeting critical infrastructure (like water and waste treatment plants) in the U.S. in a way that can only be construed as an overt threat. There’s no reason another country would care about a water treatment plant. They’re just saying we can touch you and wipe out large portions of your population at will. As we had suspected, they were doing certain things. Knowing the facts of how deep they are, and publicly disclosing that, has been a big wake-up call across the critical infrastructure community.
Another trend that can be seen is a rise in nationalistic sentiments, with some corporations pulling back from offshoring manufacturing and data centers. There will also be an increasing push for organizations to control their supply chains better.
Q: Are more stringent data privacy laws coming, and how will a national consumer data protection act impact all the documentation already required with the patchwork of state laws that organizations must comply with?
A: Travis Howerton: Yeah, there’s definitely more coming. It would be nice if we had more of a nationwide approach to it and we updated the Privacy Act and we had less state-by-state stuff. But you’ve already seen it with the California Consumer Privacy Act (CCPA), which is basically a rough mirror of the GDPR, but with some nuance. I think dealing within our state-by-state level makes it very difficult for companies to maintain compliance with those things. So, hopefully, you’ll see more of those things centralized and the government giving wide mandates.
I do think you’re going to see increased political effects. Part of why the world’s becoming more dangerous is that people are becoming more nationalistic and pulling back Whether it’s onshoring manufacturing or onshoring data, there is this increasing view across the world that if the world’s going to become more dangerous, you need to be able to control your supply chains and your data a little better.
Q: What industries will lead the way? What will happen to those who either fail to meet or fall out of compliance because of more stringent data privacy laws?
A: Travis Howerton: It’s always been my experience that Financial Services tends to take the lead in these things. They have the best ability to draw a straight line between do or do not—and what it means financially because they deal with dollars and cents. I think it’s harder for other organizations to directly quantify that and I think it’ll depend on how much teeth is in some of that stuff; that includes prevention from doing business or having the fine severe.
Q: Can you discuss where you see the following technology trends will land by 2030 on these key issues?
1. Continuous controls monitoring
A: Travis Howerton: They’re going to be table stakes because there’s no other way to do it. The traditional approach to GRC is dead. I think there’s got to be more developer-friendly compliance as code, in the same way that Agile largely killed Waterfall. You need to embrace change in speed and I think it requires a new architecture. I think the Gartner research aligns with that, if you look at some of their projections, it will be a dominant approach by 2027.
2. AI and machine learning (ML) into GRC solutions
A: Travis Howerton: These are table stakes again. I think this is a great example of Moore’s Law, where humans don’t think well and exponentials. As an analogy to that, I grew up in a world where he talked about the Turing test. The Turing test was an exercise asking whether you have a conversation with the computer for a while and do not know the difference. We went straight past that to super intelligence like ChatGPT. Not only, can you not tell the difference on the other side, it gives better answers than you will about 90 percent of the time. If you look at like how much better it was than three years ago, it’s outscoring humans 93 percent of the time on standardized tests.
Then you extract Moore’s Law, you can see it’s going to be four to eight times better at just raw compute. That’s just a linear look at how much it will compute. It would be four to eight times better, but it won’t be linear. They’re making advances in algorithms and other things that will improve it, and the corpus of data is getting better when you look at that in aggregate.
I think a whole bunch of things we count on humans to do is “stare-and-compare” exercises. In the GRC world, we will be completely replaced by machines. What I think will not be replaced by machines is business decisions. No one wants a machine making strategic business decisions for their business. What they want is for that machine to take the workload off your top minds—informing them with better data so they can now spend more time making the right decision. It’s not going to eliminate all the people in this industry—it’s going to supercharge them, so they can get all the work done with the same number of people. This is important because we’re not educating enough people to serve in these roles as a country, so I think automation is the only answer to that.
3. Cloud-based GRC solutions
A: Travis Howerton: I think some organizations have been slower to adopt fully cloud-based solutions just because this is inherently sensitive stuff—the last stuff you’d want to trust somebody else to manage on your behalf,” says Howerton. “But I think the trend of everything in the cloud will increase the more GRCs achieve FedRAMP and other higher certifications. At some point, it’s more secure than you can make it on-premises and more cost-effective. So, as a function of time, it will move to the cloud, but I think the government will be one of these slower adopters because there’s less positive incentive to do it initially.
4. Automated risk identification and continuous risk management
A: Travis Howerton: This is an area where we’ve really leaned into the API economy, where everybody has a stack regardless of what tools you’re using. The problem is that we have stack overload where we have too many tools and so it’s about really being better at our workflows and how we use that data to make the right decisions and focus on the right things.
I think it’s going to be a trend towards platform consolidation. You kind of see this with the big players gobbling everybody up and having one stack to roll at all where I can say, CrowdStrike, Palo Alto, or whoever, just handle this for me with your stack. Combined with cloud-native solutions to sift through all this data, this makes sense if it’s combined with better workflow solutions to make sure we’re assigning the workout correctly and getting the human eyes on the right targets faster.
5. Enhanced cybersecurity and data privacy capabilities
A: Travis Howerton: Enhanced cyber security is increasingly going to be a given. I think that’s the next major boom. We’re entering the early days where we’re going to use AI to defend better and to do GRC-related things better. But we’re also going to see deep adversaries use AI to attack better and to scale their business. As these things get smarter and faster, you’re going to increasingly be AI versus AI. AI wars are just beginning and sort of how we’re using those things right now. They’re not replacing people in autonomous mode, but they are increasingly moving in that direction—all the way onto the battlefield in different circumstances. It’s going that direction, where the machines increasingly can make decisions faster, and with more data than a human can.
6. Enhanced predictive analytics
A: Travis Howerton: I think it’s changing. For a long time, it was about getting a large corpus of data and training neural networks and models on it. I think some of the leap forward we’re seeing is in the large language models and their ability to process enormous amounts of unstructured data into interesting things. That includes self-driving vehicles and all those sorts of things. It’s moving much faster and that’s exponential growth.
Q: Drilling deeper into CCM, how is AI already supercharging this technology and, in turn, employees’ ability to achieve and maintain compliance?
A: Travis Howerton: We’re already seeing organizations scaling their business or their practice on it. And it’s doing a couple of things. You’ve got two universes. You’ve got the automated technical controls, where many of the existing security tools do a great job and can check your vulnerability state, configuration, backup, and all those sorts of things. But you’ve got a whole universe of administrative-type controls, too. Do you have a policy? Was it updated? That’s where it’s still very much a stare-and-compare, people-driven process. Getting humans to know better how to build programs and to build them better—to not need that senior person over top of them, always checking their work. That’s how AI can help them.
The big dirty secret in the security industry is we’re terrible writers. We could use AI to just fix their writing—to take the nuggets of what was good about it and make it better. Then give us the ability to audit things, where we don’t have just long cues of backlogs where you’re waiting on a human to put eyes on target and review and get something out. We can have AI do it instantly. Um, self-service. So I think you’ll see those Trends already happening, and then you’ll see it increasingly get better and more autonomous right now. We are supercharging humans. Eventually, there’ll be areas where we could just completely replace the human for certain lower-level functions. And they’ll be glad we did because they don’t want to do them. They’ve got a huge backlog of more valuable work they could be doing.
Q: Tell me more about how code-as-compliance (CAC) works in the GRC context, and how prevalent it will be by 2030. How does it fit now in the CI/CD pipeline for software developers vs. six years ahead?
A: Travis Howerton: Yeah, today like you largely see compliance as code. You’ll hear about the software bill of materials or SBoM today. That’s kind of where most of it is when I build something and I want the ingredients of what’s in the software. And this was driven by some of the Log4J, Solar Winds issues, where we did we as an industry didn’t know how to respond to it when they compromised something we all trusted. We said, “Well where is that?” And the answer was everywhere! And then it was “Crap, what do we do? How do we know, how do we get it out?” So, there was this big push that you needed more transparency. That’s what generates the software bill of materials, which is a machine-readable ingredient list basically for what goes in your software.
What you’re going to increasingly see is things like NIST OSCAL, the open security controls assessment language. The idea is that we should not be generating massive Word and Excel documents that are instantly out of date and are unstructured data. We can be more precise. We can represent this in a machine-readable version that plays better in the DevOps environment. Let machines attest to their own state. Now when we generate a package, we have a machine-readable artifact. Then you’ll be able to use AI and algorithms and other things to automatically audit and assess the security of that system in a more precise way than if it were unstructured. That’ll be increasingly the trend. It’ll also make things more operable as a function of time. You think about modern DevOps shops where we do everything infrastructure is code—except for our compliance part that we do at the end where we revert back to Excel. Increasingly, we need that to be fast too and so that’ll be the trend.
Q: How will risk-based decisions be different for security analysts in 2030 based on everything we’ve discussed? And what do organizations need to do before then to ensure these cybersecurity professionals are well-equipped to do their jobs?
A: Travis Howerton: If you go more CCM compliance as code, it’s going to be closer to real-time. What’s going to be different is you’re going to get more timely insights. So when you think about problems we have, like we may have hundreds of controls that we do a sample of a third of them every year. So, once every three years, we look at something., Well, a lot can change in the cyber world in three years. For the worst, the tax change things get misconfigured. It’s probably not an acceptable risk to wait that long. The ability to continuously audit things, to always know where you’re at, to find problems, when they’re smaller, then the adversaries have less time to exploit them.
I think all those trends go in the right direction. Historically, the problem with using it is that we didn’t have enough time, money, and resources to throw that many bodies at doing it that often. But I think the automated approach lets you get a larger sample size, more frequently, which should result in finding problems sooner and fixing them when they’re cheaper.
When it comes to preparing people for the future, I think this is one of those areas where it’s very easy to see yourself getting left behind.
This is one of those areas where it’s very easy to see yourself getting left behind. When your staff doesn’t know what compliance-as-code means or asks ‘What is a YAML file? What is this JSON thing? Just give it to me in Excel like I always had it,’ then they are either going to get disrupted by this trend—or they’re going to hold your organization back from taking advantage of all these new emerging technologies.
You don’t want your employees to be the next Blockbuster Video, where they constantly deny that Netflix and streaming are a thing, right? You just convince yourself that the way you’ve always done is the right way. And next thing you know, there’s no more Blockbuster. I think people have a chance to add more value to their careers, what they do, and how they’re compensated. That’s a positive for them, but it also requires them to embrace the change and be part of it.
Q: What is your top advice to organizations trying to prepare for what is coming by 2030?
A: Travis Howerton: My top advice is always that the best plans start with the truth. I had a boss who taught me that when I was in Oak Ridge. I had a project that wasn’t going well and I was kind of tap-dancing around to say what I wanted to say, and he was just like, basically just spit it out, Travis. The best plans start with the truth. You can accept it now, you can accept it later. It’ll still be true.
He said the key is in how quickly can you get to the truth and how can you come up with a plan. What are you going to do about it? Now I ask people if things will be more cloud-native as a function of time. Yes, it is. Is it true that the regulatory environment is going to get worse, not better? Absolutely.
There’s tons of evidence directly to that and Moore’s Law. Yes, it’s still the pace of change is not slowing down. The world’s never been this fast before, but it won’t ever be this slow again. When you look out at all the things I mention about: “How do I hit a moving target at twice the scope moving eight times faster? The quicker you understand that and believe it to be true, you can rationalize it in your head and start thinking about what are the strategies needed to prepare my organization for this problem so we can thrive in this hyper-scale, hyper-speed world versus getting disrupted by it. That’s my biggest takeaway. It’s not a RegScale thing. Regardless of what your strategy is, you better have one, and you’ve got to be thinking about it to get ahead of the problem.
Learn more about the future of GRC!
With AI technologies, ever-growing regulations, and other issues poised to disrupt GRC by the year 2030, CISOs need to know what to expect. Check out our must-read guide on leveraging continuous controls monitoring (CCM) to future-proof your organization’s compliance. Download our white paper, “GRC in 2030: A CISO Survival Guide” now!
Related Resources
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024