The tradition of starting the New Year by making resolutions is as ancient as civilization. According to Wikipedia it at least dates back to the Babylonians. So CISOs are in good company if they want to sit down this week and make a few promises for the next 12 months.
But what to promise other than the obvious: To do better than the year before? Two columns this week suggest some specific resolutions: One offers ways to toughen enterprise security. The other urges infosec leaders to improve cyber security knowledge in the boardroom.
Let’s look at that last one first. Ashley Arbuckle, Cisco Systems’ vice-president of security services notes the National Association of Corporate Directors’ (NACD) 2016–2017 Public Company Governance Survey found that almost one-quarter of boards questioned were dissatisfied with the reporting that management delivers on cybersecurity. At the same time, the report found that only 14 per cent of respondents felt that their board had a high level of understanding about cyber risks.
What’s a CISO to do? He makes four suggestions:
1. Understand your board’s appetite for risk and get involved in risk management;
2. Build a risk profile focused on protecting your enterprise’s most critical assets;
3. Measure cyber risk and establish real metrics;
4. Demonstrate effective cyber resilience and continuous improvement.
The full article tells how these steps can be accomplished. Resolve to do this work — and update it — and a CISO can have “a business-oriented, forward-looking conversation” with the board and business leaders, Arbuckle writes, “one that creates a deeper understanding of cyber risks and demonstrates how an effective cybersecurity strategy is essential for digital transformation.”
As for making more general resolutions to improve enterprise cyber security, Chris Veltsos a computer science professor at Minnesota State University offers five suggestions. One is to explore the possibilities of artificial intelligence/machine learning in your environment. Security vendors are increasingly pushing products they say have AI/ML capabilities. However, just plugging them into your network may not solve all — or many — problems. “Machine learning by itself solves nothing without being applied to distinct problems,” one expert we quoted earlier this year said. For more on what a CISO should ask before buying, read this article:
Like Arbuckle, Veltsos also urges CISOs to resolve to engage better with top leadership. And it won’t hurt to resolve to find better ways to improve security awareness throughout the organization. Another suggested — and vital — resolution should be is to practice how the enterprise will respond to a breach.
But to my mind one of the best resolutions an infosec leader can make is to measure the organization’s security maturity. That, Veltsos notes, is the only way to answer the question, “Are we getting better?”
“Cybersecurity isn’t just a bunch of projects and activities,” he writes, “it’s a lifelong journey. Without the ability to measure its progress along that journey, an organization might find itself running in circles, too busy fighting fires with inadequate equipment and training to close the feedback loop.”
I wrote a long piece on how to do it last year. You can read it here.
Finally, if you made resolutions last year pull them out and see how you did. If there wasn’t much progress that may be one place to start in your resolutions.
