Five New Year’s Resolutions to Help CISOs Improve Enterprise Security in 2018
If you survived 2017 — a year full of data breaches, ransomware, distributed denial-of-service (DDoS) attacks and a multitude of other high-profile security incidents — you deserve a pat on the back. Some of us weathered the storm thanks to our careful preparations, the security controls we deployed, the incident response strategies we practiced and the recovery mechanisms we put in place. The rest of us can thank our lucky stars that things didn’t turn out for the worse.
Five Enterprise Security Resolutions for 2018
No matter how you navigated the treacherous threat landscape during the past year, it’s time for all of us in information security to make our New Year’s resolutions. If you’d rather not leave the fate of your organization to luck in 2018, here are five resolutions for chief information security officers (CISOs) to apply in the new year.
1. Explore AI and Machine Learning
Organizations of all sizes should review their technical controls to see if they are still as effective as they were thought to be. Obviously, firewalls and endpoint security solutions are crucial, but everyone in security knows that these controls alone will not keep you safe, much like antilock brakes and collision warning systems won’t prevent all possible automobile crashes.
Artificial intelligence (AI) and machine learning are worth exploring because, as the volume and sophistication of attacks continues to grow, all hope of keeping pace using manual incident response triaging processes quickly evaporates. A Cylance survey of Black Hat USA 2017 attendees found that 62 percent believed AI would be used to commit cyberattacks in the next 12 months. Can your organization, customers and shareholders really afford to wait before taking proactive steps?
One of the bright spots in the AI landscape has been the IBM Watson project. IBM constantly feeds its AI engine cybersecurity-related materials to digest, training it to connect the dots of an attack. Watson for Cyber Security can process more data, deliver better endpoint threat detection and improve the way incident response is orchestrated across the organization.
2. Educate and Engage With Top Leadership
In 2017, both the World Economic Forum (WEF) and the National Association of Corporate Directors (NACD) provided directors and C-suite executives with guidance regarding the need to keep a close eye on cyber risks and improve cyber resilience across the enterprise. More recently, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published an updated report on enterprise risk management (ERM) with 20 principles for directors and officers to connect strategy, risks and performance and to ensure strong alignment among all three.
3. Step Up Security Awareness
The CISO should, with the full support of top leadership, oversee an organizationwide effort to step up security awareness activities. Training materials should be relatable, direct and relevant to enact a gradual shift toward a strong security culture with reminders, fresh ideas, games and, yes, the dreaded phishing test.
This transition will not happen overnight, and there will be some pushback. But the days of writing passwords on sticky notes, sharing login credentials with office staff and practicing overall poor cyber hygiene, both at work and at home, need to end. CISOs should join forces with awareness evangelists to constantly remind staff members to follow security best practices.
4. Practice Your Breach Response
CISOs should work with HR, public relations, legal and other departments to prepare top leadership for a data breach. After all, you don’t want to be scrambling to determine what to do, who should talk to the press and how the public should be notified during a crisis.
Last year, IBM unveiled a cyberattack simulation as part of its X-Force Command Center (XFCC) to train C-level executives on crisis leadership. The XFCC also houses a cyber range and provides security operations center (SOC) training sessions.
5. Measure the Maturity of Security Activities
When it comes to cybersecurity, directors and officers should regularly ask themselves, “Are we getting better?” The answer to this question should be as straightforward as asking the chief financial officer (CFO) how year-to-date figures compare to those of the previous year.
Cybersecurity isn’t just a bunch of projects and activities — it’s a lifelong journey. Without the ability to measure its progress along that journey, an organization might find itself running in circles, too busy fighting fires with inadequate equipment and training to close the feedback loop. Then they may ask, “What lessons can we learn from this?”
Some organizations have formal enterprise risk management (ERM) frameworks in place. Those frameworks may use maturity ratings as part of the overall approach to governing enterprise-level risks. For organizations that haven’t yet deployed an overarching ERM framework, a good place to start is to evaluate the maturity of the enterprise’s cybersecurity capabilities. This past May, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Awareness Tool User Guide, which provides “a repeatable and measurable process for institutions to inform management of their institution’s risks and cybersecurity preparedness.”
Don’t Rely on Luck in 2018
As we turn the page to 2018, organizations and their CISOs should commit to improving the way they consider, manage, communicate and respond to cybersecurity issues. That means introducing cognitive technology into the security environment, educating top leadership about cyber risks, promoting a culture of security awareness throughout all levels of the organization, conducting data breach simulations and tabletop exercises to hone incident response capabilities, and measuring the progress and maturity of security activities.
Don’t leave it up to your lucky stars — given the rate at which cybercriminal techniques are evolving, your luck will surely run out soon enough. Whether you’re a CISO, security professional or everyday user, make security part of your New Year’s resolutions for 2018.