Nothing like turning the calendar to January, and feeling that sense of clarity and hopefulness that only a fresh start can bring. If your business was able to escape a major security incident last year, congratulations. Many of your peers can't say the same. But know, too, that the next major calamity is never far off, especially if your organization remains mired in poor security habits and practices, which may signal you've been more lucky than good up until now.
In the business of security, as in life, the problems of your past fail to evaporate merely because you've crossed into some arbitrary date or month. From a psychological standpoint, however, the new year does offer a unique opportunity for reflection and renewal - so let's not waste an opportunity to make up for some mistakes and oversights of the past.
"Resolutions" tend to come weighted down with too much expectation and pressure (no pun intended if you've set a resolution to lose weight). It's no wonder, then, that so many of them fail. Intentions, on the other hand, can be a more useful term. They're more about the journey than the destination, which seems optimal for a profession like security where progress is far more realistic and defining than perfection.
Despite already being three weeks into the year, here are four cybersecurity intentions still worth getting behind in 2018, with a content resource to go along with each that will provide actionable guidance to help move these intentions forward.
1) Make Security Cool Again
Many end-users think of security as not their problem and something that keeps them from doing their jobs. On the other hand, these same people exhibit behavior that will make you want to bang your head against the closest server. Both sides have a point, but until technology is inherently resilient, and users quit doing dumb things, a balance needs to be struck - and the task inevitably falls on you. How can you build momentum across the organization around security? Start by improving IT's approachability, make security processes easier to implement, and glamorize the awareness and education process through creative, trusting interaction with others, including executives. (Bonus: These concepts will also help to keep your security team happier and more engaged).
Resource (E-Book): The Complete Guide to Building a Security Culture
2) Align Security and Compliance Efforts
Compliance is back in a big way in 2018 with the EU General Data Protection Regulation (GDPR) roaring into the picture, with concerns that regulators may act quickly with ruinous fines to make examples of delinquent companies. While such talk is likely more speculation than reality, most agree the GDPR will be enforced from the get-go. Yet companies shouldn't panic: If you already have a mature security program, you should be in fine shape to adhere with the legislation. If not, consider its requirements much like the Payment Card Industry Data Security Standard - as a representative set of security best practices that will help take your organization well beyond the checkboxes.
Resource (Webinar): GDPR: What Matters and How to Address It
3) Fight Fire with Fire
As attackers continue to operate using sophisticated and difficult-to-detect methods to steal your company's sensitive data - experts predict 2018 will bring a slew of newly evolved disruptions, from advanced ransomware and IoT troubles to threats leveraging AI and machine learning (it's not just for the good guys). You will need to respond with equally sophisticated solutions, particularly around detection and response. Concentrating on the endpoints is not a bad place to start, as well as ripening your IR efforts, because if you thought businesses were predisposed to breaches in 2017, there is more where that came from.
Resource (E-Book): The Hassle-Free Guide to Dominating Your Next Security Incident
4) Think Outside the Box
A new study found that CISOs are most concerned in 2018 not by data breaches or cyberattacks - but by the unrelenting dearth of talent in the industry. That may be an astonishing finding at the surface, but when you consider all that goes into operating and maintaining an adequate security program these days, from threat intelligence and threat hunting to vulnerability testing and threat detection and response, it's no wonder security chiefs are panicking. If you feel you can't get by on your own, turning to a managed security services provider may be the only logical answer.
Resource (White Paper): Why Move to an MSSP?
Dan Kaplan is manager of online content at Trustwave.