2019 New Year’s Resolutions for CISOs
As CISOs, it’s our job to ensure all information, assets, and technologies are protected from cyber threats. Throughout the year some high priority items get pushed farther and farther down as new projects and threats develop. In an effort to help my fellow CISOs out, I’ve shared a list of what I’ll be working on in the new year in hopes that you’ll find it helpful in prioritizing your efforts in the year ahead.
1. Know your data
You can’t defend what you don’t know you have. As cloud technologies and mobile devices become workplace staples, it’s essential that CISOs consider all data for which they are responsible. Start by taking an inventory of all hardware and software your organization uses. Next, map out where data lives – whether that’s on a hard drive, in an application, or in the cloud.
2. Make an actionable crisis management plan
A crisis management plan must be actionable in order to be effective. Make sure the plan identifies which parties in the organization need to take action in a specific crisis scenario. Each role should also have specific tasks assigned, so everyone knows what to do when a situation arises.
3. Make cybersecurity relatable to employees
People are much more likely to take action when they understand what to do and why it’s important. Educating your employees about protecting their PII (personally identifiable information) can go hand-in-hand with education that protects organizational data. Many of the same skills will be useful, such as:
- learning how to spot a phishing email
- ensuring applications are up-to-date
- knowing how to avoid potentially dangerous or vulnerable websites
4. Account for risk and burden in your controls
Many organizations rely on a combination of best practices and security guidelines to harden their systems and data. No matter how you set organizational controls, your method should account for risk and burden. We developed CIS RAM (Center for Internet Security Risk Assessment Method) to help organizations accomplish this. CIS RAM helps businesses implement the CIS Controls best practices in a risk-informed way with instructions, templates, and more.
5. Tools need a process and a process needs an audit
When developing tools, look at the processes behind them. Consider implementing DevOps – taking into account security from the start. DevOps brings together software development and IT teams to help build and test applications together. DevOps processes should be audited and reviewed to ensure they are both collaborative and efficient.
6. Vulnerabilities are only the fruit - find the root of the problem
New software vulnerabilities are being discovered every day and will continue to be exploited by cybercriminals in 2019. Rather than chasing the latest threat, focus on implementing basic cyber hygiene and security best practices. Many data breaches are caused by known configuration flaws and security gaps. Implementing consensus-developed configuration standards like the CIS Benchmarks can go a long way towards your overall security posture.
7. Make third-party risks tangible
Between different applications, cloud providers, and “as-a-Service” offerings being used by organizations worldwide, it’s important for CISOs to take into account third-party risks. Identify which data and software reside with each third-party provider and delineate who is responsible for which security tasks. Then, communicate with your providers to develop a “shared security responsibility” model. This will give you greater peace of mind and a clearer picture of your third-party security risks.
8. Teach employees to become more security-minded
Employees everywhere – at schools, small business retailers, even your local ice cream shop – need to be aware of cybersecurity. Much the way that everyone learns basic security drills in case of fire or flood, employees should know what to do when a cyber incident occurs. Make sure you communicate what employees should do if they receive a suspicious email or download a malicious file.
9. Make 2019 about governance
UDP port 2019 is known as “about” – but what’s 2019 about? For CISOs, governance will be key. We must have the determination and drive to implement security controls throughout our organizations. These controls should help determine how data is managed, how to deploy security best practices, and how to respond to various cyber threats.
A shared responsibility
CISOs take on massive responsibilities to secure data and systems, but they’re not alone. By working with IT, software development, and indeed the entire organization to implement best practices, we can all resolve to be more secure in the coming year. What are your #cybersecurityresolutions for 2019? Let us know via Twitter.