Suggested New Year resolutions for CISOs

The tradition of starting the New Year by making resolutions is as ancient as civilization. According to Wikipedia it at least dates back to the Babylonians. So CISOs are in good company if they want to sit down this week and make a few promises for the next 12 months.

But what to promise other than the obvious: To do better than the year before? Two columns this week suggest some specific resolutions: One offers ways to toughen enterprise security. The other urges infosec leaders to improve cyber security knowledge in the boardroom.

Let’s look at that last one first. Ashley Arbuckle, Cisco Systems’ vice-president of security services notes the National Association of Corporate Directors’ (NACD) 2016–2017 Public Company Governance Survey found that almost one-quarter of boards questioned were dissatisfied with the reporting that management delivers on cybersecurity. At the same time, the report found that only 14 per cent of respondents felt that their board had a high level of understanding about cyber risks.

What’s a CISO to do? He makes four suggestions:

1. Understand your board’s appetite for risk and get involved in risk management;

2. Build a risk profile focused on protecting your enterprise’s most critical assets;

3. Measure cyber risk and establish real metrics;

4. Demonstrate effective cyber resilience and continuous improvement.

The full article tells how these steps can be accomplished. Resolve to do this work — and update it — and a CISO can have “a business-oriented, forward-looking conversation” with the board and business leaders, Arbuckle writes, “one that creates a deeper understanding of cyber risks and demonstrates how an effective cybersecurity strategy is essential for digital transformation.”

As for making more general resolutions to improve enterprise cyber security, Chris Veltsos a computer science professor at Minnesota State University offers five suggestions. One is to explore the possibilities of artificial intelligence/machine learning in your environment. Security vendors are increasingly pushing products they say have AI/ML capabilities. However, just plugging them into your network may not solve all — or many — problems.  “Machine learning by itself solves nothing without being applied to distinct problems,” one expert we quoted earlier this year said. For more on what a CISO should ask before buying, read this article:

Like Arbuckle, Veltsos also urges CISOs to resolve to engage better with top leadership. And it won’t hurt to resolve to find better ways to improve security awareness throughout the organization. Another suggested — and vital — resolution should be is to practice how the enterprise will respond to a breach.

But to my mind one of the best resolutions an infosec leader can make is to measure the organization’s security maturity. That, Veltsos notes, is the only way to answer the question, “Are we getting better?”

“Cybersecurity isn’t just a bunch of projects and activities,” he writes, “it’s a lifelong journey. Without the ability to measure its progress along that journey, an organization might find itself running in circles, too busy fighting fires with inadequate equipment and training to close the feedback loop.”

I wrote a long piece on how to do it last year. You can read it here.

Finally, if you made resolutions last year pull them out and see how you did. If there wasn’t much progress that may be one place to start in your resolutions.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now