Source: cn0ra via Alamy Stock Photo
With the aim of fortifying defenses and navigating changing risks, IT security leaders shared their New Year's resolutions, with a focus on their planned initiatives and strategic objectives to bolster organizational security posture.
The New Year's resolutions discussed by CISOs and security leaders for 2024 shed light on a multifaceted approach to shoring up cybersecurity practices as the evolving impact from artificial intelligence and generative AI loom over the industry.
An emphasis on the importance of assessing and updating business continuity, disaster recovery, and incident response plans is often coupled with a strong focus on fundamental detection, prevention, and response capabilities.
Other resolutions highlighted the need for building a robust security culture amid evolving technologies and regulatory landscapes, emphasizing the risks associated with human error and AI-driven attacks.
These resolutions collectively underscore the imperative for proactive measures, operational enhancements, and reactive capabilities, mirroring a comprehensive approach to cyber resilience as we head into 2024.
Justin Dellportas, CISO, Syniverse
My top three New Year's resolutions for improving cybersecurity resilience are centered around assessing business continuity, disaster recovery [BC/DR], and incident response [IR] plans; keeping these plans updated and practiced at their appropriate intervals; and continuing to focus on the detection, prevention, and response fundamentals.
It's important to understand the business' critical products and processes, be able to model out potentially disruptive scenarios, and determine if the organization's BC/DR and IR plans sufficiently mitigate the associated risks. This isn't something that can be accomplished in a vacuum by a cyber program alone, so establishing a strong partnership and having a presence with the executive leadership team is crucial to success. Formulating a cross-functional risk committee is a great way to get started. Underpinning all of this is ensuring there is a solid foundation of detective, preventative, and responsive cyber capabilities and processes. Building on top of that, having benchmark configurations, centralized logging, and patching all can help mitigate the impact of a cyberattack.
Rinki Sethi, CISO, Bill
In 2024, security and IT leaders have an opportunity to be proactive and make significant security improvements, including building a strong culture of security. AI and other new technologies are transforming organizations across the world while the regulatory landscape is changing and driving more scrutiny on cybersecurity programs. The risk of human error, social engineering, and lack of cyber hygiene remain top areas to focus protection efforts, and it is increasingly challenging with AI as a popular attack vector.
Organizations must increase vigilance and diligence of AI being used by threat actors and retrain employees to watch for and report any malicious activities. Human error can be greatly reduced with proactive and preventative controls in place, having the right tools and technologies to monitor and prevent both human errors and malicious activities, whether they are internal or outside of the organization. I'm excited about the possibilities and opportunities in this space in 2024 because, if we can get it right, it will be a game changer to stop the threat actors.
Katie McCullough, CISO, Panzura
As we embrace the New Year, organizations should adopt resolutions that not only fortify their defenses but also ensure agility and resilience. A paramount resolution is to establish mechanisms that guarantee minimal impact in the event of a security breach. This involves creating robust incident response plans and recovery strategies that can swiftly restore operations with minimal disruption. By preparing for worst-case scenarios, organizations can maintain their operational integrity and customer trust, even when faced with potentially debilitating cyber threats.
Another critical focus should be the comprehensive identification, assessment, and resolution or acceptance of risks. This proactive approach in risk management requires continuous monitoring and evaluation of the organization's security posture to identify potential vulnerabilities. By understanding and addressing these risks early, organizations can prevent them from evolving into serious threats.
Lastly, it's essential to provide secure services that seamlessly integrate with user and business unit operations. This means designing cybersecurity measures that are robust yet user-friendly, ensuring that security protocols do not hinder productivity or user experience. By achieving this balance, organizations can maintain a secure environment that supports, rather than impedes, their business objectives.
Devin Ertel, CISO, Menlo Security
I would begin the year by conducting a thorough risk assessment, identifying potential vulnerabilities, and strategically allocating resources to address the most pressing concerns. This proactive approach ensures that your cybersecurity strategy is not only reactive but also anticipates emerging threats, providing a solid foundation for resilience.
CISOs can effectively prepare for 2024 by aligning cybersecurity strategies with organizational budgets. This involves a judicious allocation of financial resources to implement robust security measures. Striking the right balance between investment in cutting-edge technologies and ensuring the scalability and sustainability of security initiatives is paramount.
Joseph Carson, Advisory CISO, Delinea
Continue looking at ways to move passwords into the background in the workplace. Many organizations started implementing passwordless authentication to enhance security and improve the user experience. The more we move passwords into the background and the less humans need to interact with them, the better and safer our digital world will become.
In 2024, the landscape of cybersecurity compliance is expected to evolve significantly, driven by emerging technologies, evolving threat landscapes, and changing regulatory frameworks. Privacy regulations like the GDPR and CCPA have set the stage for stricter data protection requirements. We can expect more regions and countries to adopt similar regulations, expanding the scope of compliance requirements for organizations that handle personal data.
Gareth Lindahl-Wise, CISO, Ontinue
One of my chief resolutions would be to focus on anticipating threats. There are very few genuine black swans. Build out a small number of realistic incident scenarios and, at least, do a tabletop exercise covering your ability to prevent them occurring, detect them happening, and respond to minimize impact and recover as quickly as possible.
Another top resolution for the new year is a push for more engagement. Security can be an afterthought. Let your peers and leaders know what you could bring to manage security risks in common business scenarios, including acquisitions, new products or service launches, investments, market entry, or downsizing. Be relevant and we are more likely to be there.
I would advise CISOs to focus on measuring success. You probably know what bad looks like. Do you know what good looks like? What are the indicators of security success? It isn't just the absence of bad.
It will also be important to push for a "speak up" culture. No judgment, confidential where needed, but your employees already know your weaknesses.
John Bruns, CISO, Anomali
Cyber resilience should focus on three core areas: proactive measures, operational measures, and reactive measures. To be proactive, CISOs should be completing or updating an overall maturity assessment of their organization, updating their risk registers, and ensuring a solid two- to three-year roadmap is established for their organization. Risk register updates should result in mitigation and controls that bolster an organization's ability to withstand a cyberattack.
From an operational standpoint, organizations must focus on the tools, processes, and people needed to build a comprehensive detection and response strategy. My resolution for improving operations begins with continued augmentation to our log management strategy that drives better detection engineering. From basic logging to advanced and enrichment logging, we're continuously building and tuning our detection and response processes to ensure incident mean time to respond is decreased.
To bolster reactive measures, my focus is ensuring we have "boots-on-ground" capabilities, including incident response experts, forensics capture and analysis, root cause analysis determination, and restoration capabilities such as rebuilding, patching, or deprecating affected systems.
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint
AI is coming and resistance is futile. While we see the great potential AI can have to help us in our work, we must make sure that we take advantage of these technologies responsibly and securely. Considering this, security and privacy professionals must work with their IT and business counterparts to develop and implement generative AI acceptable-use policies. This should include data privacy and confidentiality, access to gen AI, and responsible use of the technology. Putting these guardrails in place is critical.
In addition to developing acceptable use policies, ensure that you have ongoing training for employees so that they are aware and can act responsibly. Especially given how quickly applications of AI and machine learning have impacted our work, and how quickly this technology changes, security and privacy teams need to be agile in the new year.
Successful adoption of AI in a security- and privacy-centric way will be as good as the basic data governance and lifecycle management program you've implemented in your organization. As we say and have said for many years with regards to migration to the cloud: If you put garbage in, you'll get garbage out. So, it's important to clean up your data and make sure it's properly governed before serving it up to AI on a silver platter. Otherwise, you may end up finding that security by obscurity is no longer a fallback defense.