2020 was a year that turned the cybersecurity industry upside down, and global cybercrime losses are now expected to exceed $3 trillion in the post-COVID world. The security perimeter became virtually nonexistent as the workforce quickly switched to working from home during pandemic. On top of that, the number of cyberattacks soared from malicious actors trying to take advantage of the chaos and newly opened holes in organization’s networks. Security leaders had no choice but to adapt to this spike in cyber threats by turning to technology and data to help them make decisions about how to protect the enterprise.
Now as we begin a new year, CISOs are solidifying annual goals and thinking about what initiatives to invest time and budget on in 2021. Below are the top three priorities that CISOs need to focus on for their 2021 security programs.
1. Adopt a Data-driven Security Approach
Security professionals need to be able to accurately measure and understand their organization’s attack surface to anticipate and defend against cyber threats. However, the massive numbers of IT assets and volume of activity security teams must continuously monitor make it difficult to identify potential threats quickly enough. Consequently, many cybersecurity decisions are based on incomplete data, and CISOs worry about unseen risks and vulnerabilities. To overcome this challenge, CISOs must look into adopting systems that use AI to assess and analyze all of the data collected and produce relevant, actionable insights. This enables an enterprise’s security approach to become more data-driven, quantify cyber risk in real-time and make educated decisions to protect the organization.
2. Become More Efficient with Resources
Starting a new year is an ideal time for CISOs to reevaluate where their resources are being allocated. First and foremost, getting rid of tools and technology that are not useful to the security team can save budget. In addition, CISOs need to be able to see where their teams can be more efficient. For example, security teams should focus on reducing risk rather than chasing day-to-day items that will not have an impact. It is important for CISOs to not only make sure they have the right budget allocations or control the spend, but also be able to show the board exactly where the money is being used.
3. Increase Visibility into Cybersecurity Posture and Asset Inventory
Accurate inventory of IT assets is the most crucial part of upholding strong cyber hygiene and mitigating cyberthreats. After all, if you don’t know what’s on your network, how can you protect it? However, managing all these IT systems at the enterprise scale can be a daunting task, even for the most experienced security leaders. That is why it needs to be a top priority for CISOs in 2021. Creating and maintaining a comprehensive and updated IT asset inventory can be extraordinarily complex due to the number and variety of enterprise assets available today.
Most enterprise security executives do not want to admit that keeping track of IT asset inventory is a major challenge and can lead to risks being overlooked. To maintain a strong cybersecurity posture, CISOs need visibility at the organization level, business unit level and individual employee level. Looking to the year ahead, CISOs want a real-time inventory system that discovers all enterprise assets, continuously monitors them for vulnerabilities across a broad set of attack vectors, and prioritizes risk based on business criticality. They also need a system that maps these vulnerabilities at the endpoint and network level back to the specific business units and risk owners. Approaching inventory, vulnerability management, and business risk as an essential part of the business leads to better visibility and ownership of cyber risk for individuals, even outside of the security and IT teams.
By focusing effort and resources on these three key areas, security programs will be better equipped to mitigate risks for the entire organization and handle new cyber threats that emerge in 2021.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.