Most people have a few New Year’s resolutions – lose some weight, exercise more, spend more time with the family, etc. Based upon ESG research and many discussions with cybersecurity professionals, here’s a list of New Year’s resolutions for enterprise CISOs:
- Lead the effort to make cybersecurity part of the organizational culture. ESG/ISSA research indicates that 24% of organizations claim that business managers still don’t understand or support the right level of cybersecurity. In 2018, CISOs must alter this cybersecurity ignorance and apathy. How? Make a concerted effort to gain the CEO's support. Establish regular communications with all line-of-business managers. Work to better quantify risk in ways that business managers can understand and act upon. Get involved with business process initiatives before software developers begin writing code. Push HR for more hands-on training. Walk the floor and meet employees on a regular basis. CISOs must push as hard as they can in 2018. Those that make a difference can have a personal impact on risk mitigation across the organization. Those that fail should be ready to seek other employment in 2019.
- Invest more time and resources in the cybersecurity staff. Based on the ESG/ISSA research report, The Life and Times of Cybersecurity Professionals, we know that the cybersecurity team is overwhelmed, understaffed, and not getting the right level of training to keep up with their skills. We also know that 49% are solicited to take a new job at least once per week so they are as good as gone if they aren’t treated fairly. To alleviate these issues, CISOs must do all they can to keep the cybersecurity staff productive, intellectually challenged, and happy. This means investing in training, mentoring programs, and career development. To recruit new talent, CISOs should also strive to make their organization a cybersecurity center of excellence. This includes establishing a cybersecurity culture, working with professional organizations, getting the organization more involved with the cybersecurity research, and making sure the staff is stimulated at all times.
- Look for opportunities to employ advanced threat prevention. One way to bolster productivity is by decreasing the attack surface wherever possible with new types of advanced threat prevention technologies like next-generation endpoint security software, micro-segmentation, secure DNS services, threat intelligence gateways, etc. (Note: See the blog I posted on advanced threat prevention). Advanced threat prevention can lower the volume of security noise, enabling the infosec staff to focus its efforts on high priorities and find more time for strategic planning and skills development.
- Move security technology toward integration and advanced intelligence. CISOs should focus on rationalizing, consolidating, and integrating security technologies in 2018 with the goal of building a security operations and analytics platform architecture (SOAPA) that can collect, normalize, process, analyze, and act upon the growing amount of security telemetry. At the same time, organizations should research, test, pilot, and deploy selective security tools offering artificial intelligence. Based upon ESG research, CISOs can get the biggest bang for their buck by applying machine learning algorithms to existing security tools like endpoint security software, network security analytics, threat intelligence platforms, and DLP. This can help improve security efficacy of installed technologies without adding complex new projects.
- Make a commitment to automate and orchestrate manual processes. In cybersecurity, whatever can be automated should be automated. This includes gathering data, analyzing suspicious files, or applying simple remediation rules to block malicious activities. The caveat here is best summarized by a quote attributed to Bill Gates who said: “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” In other words, CISOs should assess processes and strive for process improvement or they will end up automating/orchestrating a broken process and negate potential benefits.
Finally, CISOs should take a portfolio management approach toward cybersecurity by finding areas that can be simplified by cloud alternatives (as opposed to on-premise technologies) or completely outsourcing tasks to MSSPs or SaaS security providers.
I’ve written in the past about the CISO triad: Security efficacy, operational efficiency, and business enablement. These resolutions are intended to align with and enhance these objectives and could help promote a happy cybersecurity new year in 2018.