The State of Security for Privacy GRC Tech

November 1, 2021

Happy National Cybersecurity Awareness Month! At TROPT, our mission is to fuel privacy tech and innovation. Because privacy intersects with security, there is a category of tech solutions that address both privacy and security problems. We call these “Security for Privacy” tech because they specifically secure privacy, oftentimes by protecting personal data. [Keep an eye out for the broader TROPT Privacy Tech Stack that’s dropping in a couple of weeks.] Within the Security for Privacy tech category in the TROPT Privacy Tech Stack, there is a suite of tools built for Information Security (InfoSec) Governance, Risk, and Compliance (GRC) professionals. GRC pros and privacy pros naturally work closely together in their day-to-day lives, in light of their shared goal of protecting personal data. 

 

Leading GRC experts

At this month’s TROPT Innovators networking social, we invited leading GRC experts, Adrienne Allen, Coinbase Security GRC & Privacy Lead, and Kimberly Lancaster, who has worked 15+ years in the Privacy, GRC and Security space.

 

Their insights and takeaway for privacy tech vendors in Security for Privacy GRC space

We want to share the following insights and takeaways from our discussions with Adrienne & Kimberly who are buyer-users of these Security for Privacy GRC tools and  GRC experts:
 
  • On the state of Security for Privacy GRC tooling: Many GRC pros still use spreadsheets and other manual solutions, even at the enterprise level. When asked why, they shared a few reasons. First, most of the existing tools out there have historically been immature solutions. Second, they pose such a heavy lift for customers to implement, sometimes taking up to six months. Next, many of the existing products don’t reflect a good understanding of the problems GRC users need solved. Lastly, GRC pros themselves need to first better understand and then articulate the tools that they need to solve privacy and security problems in the GRC space and to do their jobs. 
  • On Security for Privacy GRC tools they’re looking for: Data access management, incident response, data loss prevention, and InfoSec GRC and privacy program management tools.
  • On the build-versus-buy conundrum: Whether or not to custom-build internal solutions versus buy an off-the-shelf one has been a huge debate in the privacy community; it turns out the same is true within GRC. GRC buyers take into account the following factors on whether to build instead of buy a Security for Privacy GRC product: the maturity of the product; the availability of a product that solves their pain points; the breadth of features and functionality available (i.e. they must solve for multiple GRC, security, and privacy problems, instead of targeting a niche use case); and the vendor’s ability to demonstrate their own commitment to security and privacy.
  • On how vendors can demonstrate their own commitment to security and privacy: Vendors have to be prepared to provide information relating to their SOC 2, third-party pen test results, a follow-up vulnerability management process, a data protection impact assessment, and their product’s own data processing (i.e. a product privacy data sheet).
  • On other vendor pitfalls: Beyond the inability to demonstrate their own commitment to security and privacy, buyers and users like Adrienne and Kimberly also shared the following pitfalls that Security for Privacy GRC vendors fall into: lack of understanding of privacy (beyond security); lack of understanding of their own product’s data processing and privacy impact; privacy-insensitive sales and marketing practices; and–we’re thankfully seeing less and less of these today–sweeping statements claiming their product’s ability to achieve compliance with GDPR, CCPA/CPRA, or other data protection regulatory framework (no tool can get you compliant with data protection laws!).

Join us in fueling privacy tech and innovation

We thank Adrienne and Kimberly for sharing their insights as buyer-users of Security for Privacy GRC tools and as GRC domain experts. We also thank TROPT advisors, Melanie Ensign, CEO of Discernible Inc., and Gilbert Hill, privacy tech founder, both of whom shared their respective privacy comms expert and privacy tech founder perspectives in our discussions. We hope the above informs vendors in this space as they build, market, and sell their products.
If you’d like to join TROPT Innovators, you can let us know here
If you’d like to be the first to know about the latest in privacy tech and innovation, you can subscribe to our newsletter here.
You can follow the TROPT Medium Publication here. Or you can also follow us on Twitter and LinkedIn.
Lastly, you can join us at our next conference, TROPT Data Privacy Week 2022 by registering here.