It’s that time of year again, all you CISOs and other security leaders: time to reflect on the year past and to promise yourself you’ll make next year so much better, both personally and professionally. Considering how most of 2020 played out, no one could blame you for thinking it can only get better.
For security practitioners, 2020 was a year of extraordinary disruption. For many, the coronavirus pandemic meant scrapping their carefully crafted strategic plans and focusing their security efforts and resources on adapting to the new normal. Business models—and the IT needed to support the business—changed overnight. Resiliency and work-from-home-related cybersecurity concerns became priorities, and conferences offering important networking and learning opportunities shifted from crowded convention halls to solitary web browsers.
This was not the year we had planned.
At this point, making new year resolutions for 2021 might feel like a fool’s errand; this year taught us that if anything unexpected can happen, it probably will. But there’s no harm in setting some goals that will make your organization more secure; make your team feel more connected and engaged; and make you a smarter, more balanced security leader.
Here are eight suggestions:
1. Resolve to accelerate compromise detection.
While many organizations are detecting compromises faster than before, nearly 28% of breaches took weeks and sometimes months to detect, according to the 2020 Verizon Data Breach Investigations Report. That’s a long time for a motivated threat actor to be on the loose with access to sensitive data. For 2021, resolve to evaluate next-generation security tools that augment traditional intrusion detection and prevention systems, such as machine-learning-driven solutions like Verizon’s Network Detection and Response service, which supports near real-time and retrospective packet-level inspection.
2. Resolve to optimize your use of available threat intelligence.
Unmanaged threat intel can be a fire hose of irrelevant information, so pledge to tame the beast in 2021. It’s not about “more intel”; it’s about integrating the most meaningful intelligence into your security operations. Also, while it’s often viewed as a luxury when there’s so much else to focus on, having a line of sight into the internet’s underbelly—the dark web—will greatly enhance your understanding of your specific threat landscape.
3. Resolve to dust off your incident response plan and actually rehearse it.
When was the last time you got your stakeholders—department managers and senior execs—into the same room for a tabletop incident response (IR) exercise? If you can’t remember, it’s been too long. Only 43% of the hundreds of IR plans reviewed by Verizon for its recent Incident Preparedness and Response Report even required an annual dry run. In 2021, update and practice your organization’s plan, and have tough conversations about your organization’s ransomware response policy and procedures before you actually suffer through an attack.
4. Resolve to consider whether it’s time to bring some flavor of “as a service” to your security operations.
In these uncertain times, one thing is certain: You and your team can’t do it all. With the increasing availability of security as a service—everything from “honeypots as a service” and “threat intelligence as a service” to “continuous security information and event management (SIEM) and analysis as a service”—now is the time to review your outsourcing options. Can you redeploy your staff to work on more daunting security challenges by outsourcing vulnerability scanning, SIEM optimization or another cloud-delivered managed service? It’s time to think it over.
5. Resolve to make employee engagement a priority.
Retaining skilled security staff is harder than ever given the global employment gap, with millions of security jobs going unfilled. Like most workers, security professionals want recognition, challenges, growth opportunities and support. For 2021, promise to partner with your human resources organization to develop and execute team-engagement plans. Rotate staff roles and responsibilities in consultation with (not “at”) your team members. Encourage team members to become subject matter experts in an area new to them, and then facilitate information sharing with the rest of the team. Every minute you invest in employee engagement will save you hours in interviewing candidates to replace people who leave.
6. Resolve to more frequently engage security program stakeholders.
Non-IT executives and line-level managers have become keenly aware that cybersecurity is as important to them as their balance sheets. But if the security team isn’t getting involved at the start of a major business initiative, or if the line-level managers have a “neutral” (or worse) relationship with the security team, it’s unlikely that the organization as a whole will achieve its strategic objectives. In 2021, identify key stakeholders and learn more about their perspectives on cybersecurity and your team’s efforts. Pledge to deliver more meaningful security data to your key internal stakeholders. And teach your security program influencers about the value of inviting security into their strategic planning at the start, rather in the days leading up to launch.
7. Resolve to commit to diversity in hiring.
Cybercriminals aren’t all cut from the same cloth; your security team shouldn’t be, either. Diversity of thought, diversity of perspective and diversity of professional and life experience are critical to building a team that’s nimble, creative, effective and engaged. In 2021, pledge to step back each time you open a new requisition and really consider how your job applicants’ non-IT security skills and experiences can help solve the challenges your security program is facing.
8. Resolve to occasionally unplug.
For busy security leaders, promising that you’ll take more time off to unplug and reboot the brain is the professional equivalent of pledging to lose 100 pounds by summer: It’s a great idea, but it’s easier said than done. Security, to borrow a cliché, is a marathon, not a sprint, and burnout is especially high among security leaders. Stepping away from day-to-day pressures to spend time with family, friends or alone with a good (nonsecurity-related) book is not a dereliction of duties. It’s called a vacation, and there’s a reason why it’s called a benefit. If you don’t have a deputy or a team of people strong enough to cover for you for a day or two (or five), reconsider your hiring and professional development practices.