2017: New Year’s Resolutions for a CISO
By: Intel & Analysis Working Group (I&AWG)
Year after year on January 1st we start fresh by taking time to reevaluate our lives; we determine where we are and think about where we'd eventually like to be at year’s end. This recurring tradition usually involves creating a list of resolutions that will be used as a guide to help navigate our way through another 365 days of living a happier, healthier, and more efficient lives.
So here we are, at the beginning of 2017 with a list of 14 resolutions that will definitely make being a CISO a little easier. Feel free to pick a few and add them to your list of resolutions or take them all on and do a bit more this year! (There is also a handy one-page printable version that you can hang as a reminder or print and put by the water cooler to get everyone on board with improving cybersecurity.)
In 2017, I resolve to:
- Learn: Once a month I will make time to listen to a podcast about a cybersecurity topic that interests me. I’ll also encourage my staff to devote an hour a month to continue their own training so we can learn and improve as a team. From TED Talks to SANS and Bright Future, there are wide variety of free podcasts and webcasts that can help make this resolution a reality.
- Engage & educate my organization: I will take advantage of the resources provided to me by the MS-ISAC and other resources such as the Stop.Think.Connect campaign and incorporate them into my organization. (A great starting place is the MS-ISAC National Cybersecurity Awareness Month toolkit and posters, and the MS-ISAC Monthly Newsletter.
- Renew my efforts to follow trusted cybersecurity guidelines: From the CIS Controls to the NIST Framework, I will follow these valuable recommendations to help ensure I am doing everything I can to protect my organization from cyber threats. If I’m not already following these best practices, I resolve to implement at least one of them this year.
- Review and update my network inventory and maps: To make sure I know and control my network, I will inventory all my hardware and software. I will identify and remove unauthorized systems and applications. (Hey look, that’s CIS Controls 1 & 2! I guess that means I’ve already met resolution #3!)
- Review my users’ permission levels: I will ensure I’m adhering to the Principle of Least Privilege. (CIS Control 5 - I’m on a roll!)
- Ensure each of my plans are up-to-date and cover new IoT threats: I’ll make sure IoT devices are behind a firewall, part of my patch management system, and that I change their default passwords during setup. I’ll make sure my policies cover the use of apps that facilitate recording, remote access, and cloud storage. I’ll also get employees to re-sign their computer user agreements if I update things or if it’s just been a while.
- Check my product list for End-of-Life/End-of-Service issues: I’ll look at the CIS EOL/EOS blog post and review my patch management program to ensure everything is current, patched, and will stay that way all year long.
- Ensure that the other teams I work with are aware of and incorporating best practices for cybersecurity: This includes my developer teams, my supply chain and vendors, and my industrial control system engineers because it all starts with the code, and my cybersecurity is dependent on theirs.
- Review all Internet-connected devices: I’ll look at what is Internet-facing to make sure it really should be, and to make sure it is not using default login names and passwords.
- Learn from history instead of repeating it: I will review my response to 2016’s challenges to make sure that my incident response plan incorporates the lessons learned, that the corrections were implemented properly, and that they are still working.
- Conduct vulnerability assessments: I’ll take some time, or hire help, to conduct vulnerability assessments and remediate problems the assessments uncover, before someone else finds the vulnerabilities for me!
- Develop at least three new relationships with other cybersecurity experts: I’ll spend some time creating relationships with other CISOs, private experts, educators, and law enforcement, so we can share intelligence, learn, and build a stronger cybersecurity community, together. I’ll also encourage my staff to do the same.
- Participate in (or run!) at least two exercises: From the 15-minute exercises on the MS-ISAC monthly calls to local/national exercises that I can play in, I’ll take the time to make sure my staff and I gain this valuable experience.
And finally, I resolve to:
- Step back and have fun with my team to build camaraderie before times are hectic.