If you survived 2017 — a year full of data breaches, ransomware, distributed denial-of-service (DDoS) attacks and a multitude of other high-profile security incidents — you deserve a pat on the back. Some of us weathered the storm thanks to our careful preparations, the security controls we deployed, the incident response strategies we practiced and the recovery mechanisms we put in place. The rest of us can thank our lucky stars that things didn’t turn out for the worse.

Five Enterprise Security Resolutions for 2018

No matter how you navigated the treacherous threat landscape during the past year, it’s time for all of us in information security to make our New Year’s resolutions. If you’d rather not leave the fate of your organization to luck in 2018, here are five resolutions for chief information security officers (CISOs) to apply in the new year.

1. Explore AI and Machine Learning

Organizations of all sizes should review their technical controls to see if they are still as effective as they were thought to be. Obviously, firewalls and endpoint security solutions are crucial, but everyone in security knows that these controls alone will not keep you safe, much like antilock brakes and collision warning systems won’t prevent all possible automobile crashes.

Artificial intelligence (AI) and machine learning are worth exploring because, as the volume and sophistication of attacks continues to grow, all hope of keeping pace using manual incident response triaging processes quickly evaporates. A Cylance survey of Black Hat USA 2017 attendees found that 62 percent believed AI would be used to commit cyberattacks in the next 12 months. Can your organization, customers and shareholders really afford to wait before taking proactive steps?

One of the bright spots in the AI landscape has been the IBM Watson project. IBM constantly feeds its AI engine cybersecurity-related materials to digest, training it to connect the dots of an attack. Watson for Cyber Security can process more data, deliver better endpoint threat detection and improve the way incident response is orchestrated across the organization.

Listen to the podcast: What makes Watson the whole package

2. Educate and Engage With Top Leadership

In 2017, both the World Economic Forum (WEF) and the National Association of Corporate Directors (NACD) provided directors and C-suite executives with guidance regarding the need to keep a close eye on cyber risks and improve cyber resilience across the enterprise. More recently, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published an updated report on enterprise risk management (ERM) with 20 principles for directors and officers to connect strategy, risks and performance and to ensure strong alignment among all three.

3. Step Up Security Awareness

The CISO should, with the full support of top leadership, oversee an organizationwide effort to step up security awareness activities. Training materials should be relatable, direct and relevant to enact a gradual shift toward a strong security culture with reminders, fresh ideas, games and, yes, the dreaded phishing test.

This transition will not happen overnight, and there will be some pushback. But the days of writing passwords on sticky notes, sharing login credentials with office staff and practicing overall poor cyber hygiene, both at work and at home, need to end. CISOs should join forces with awareness evangelists to constantly remind staff members to follow security best practices.

4. Practice Your Breach Response

CISOs should work with HR, public relations, legal and other departments to prepare top leadership for a data breach. After all, you don’t want to be scrambling to determine what to do, who should talk to the press and how the public should be notified during a crisis.

Last year, IBM unveiled a cyberattack simulation as part of its X-Force Command Center (XFCC) to train C-level executives on crisis leadership. The XFCC also houses a cyber range and provides security operations center (SOC) training sessions.

5. Measure the Maturity of Security Activities

When it comes to cybersecurity, directors and officers should regularly ask themselves, “Are we getting better?” The answer to this question should be as straightforward as asking the chief financial officer (CFO) how year-to-date figures compare to those of the previous year.

Cybersecurity isn’t just a bunch of projects and activities — it’s a lifelong journey. Without the ability to measure its progress along that journey, an organization might find itself running in circles, too busy fighting fires with inadequate equipment and training to close the feedback loop. Then they may ask, “What lessons can we learn from this?”

Some organizations have formal enterprise risk management (ERM) frameworks in place. Those frameworks may use maturity ratings as part of the overall approach to governing enterprise-level risks. For organizations that haven’t yet deployed an overarching ERM framework, a good place to start is to evaluate the maturity of the enterprise’s cybersecurity capabilities. This past May, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Awareness Tool User Guide, which provides “a repeatable and measurable process for institutions to inform management of their institution’s risks and cybersecurity preparedness.”

Don’t Rely on Luck in 2018

As we turn the page to 2018, organizations and their CISOs should commit to improving the way they consider, manage, communicate and respond to cybersecurity issues. That means introducing cognitive technology into the security environment, educating top leadership about cyber risks, promoting a culture of security awareness throughout all levels of the organization, conducting data breach simulations and tabletop exercises to hone incident response capabilities, and measuring the progress and maturity of security activities.

Don’t leave it up to your lucky stars — given the rate at which cybercriminal techniques are evolving, your luck will surely run out soon enough. Whether you’re a CISO, security professional or everyday user, make security part of your New Year’s resolutions for 2018.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Artificial Intelligence

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…

4 Ways AI Capabilities Transform Security

Many industries have had to tighten belts in the "new normal". In cybersecurity, artificial intelligence (AI) can help.   Every day of the new normal we learn how the pandemic sped up digital transformation, as reflected in the new opportunities and new risks. For many, organizational complexity and legacy infrastructure and support processes are the leading barriers to the effectiveness of their security.   Adding to the dynamics, short-handed teams are overwhelmed with too much data from disparate sources and…

What’s New in the 2022 Cost of a Data Breach Report

The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020. New research in this year’s report also reveals for the first time that 83% of organizations in the study have experienced more than one data breach and just 17% said this was their first data breach. And at a time when…