This week’s blog features an article from our friends at CSO Online about the top cyber security concerns and goals for chief information security officers in the new year: 12 CISO Resolutions for 2022
What are the top security priorities for the year ahead? Here’s what CISOs across industries say are their main objectives…
It’s still early days, but if this year is anything like years past, it’s safe to say CISOs will have a lot to contend with, from a continuing labor shortage to the increasing sophistication of cyberattacks to an ongoing threat from nation-state actors. However, they also have plenty of ideas on how they’ll tackle those challenges.
To learn what they’re planning to do and what they want to accomplish in the months ahead, we asked CISOs across various industries to share their main objectives—or, their top resolutions, if you will—for 2022.
Here’s what they say…
1. Eliminate blind spots
Suyesh Karki, CISO and VP of IT at cloud software company Domo, wants to eliminate blind spots within his tech environment because he knows that he can’t protect what he can’t see. “It’s important for our security teams to have visibility into all aspects of cloud applications, on-prem applications, network, services, systems, databases, accounts, third-party providers, etc. to help fortify our cybersecurity defenses,” Karki explains.
“Having a complete, accurate and appropriately prioritized inventory of all our hardware, software, and supply chain assets enables our security teams to take a systematic approach to knowing what needs to be safeguarded, what controls to implement to protect, defend, and respond against any adverse events, and how to identify and produce metrics that tell the full story about our current security posture.”
2. Get a grip on ‘the web of interdependence’
Maarten Van Horenbeeck, CISO of software company Zendesk, cites getting a better understanding of “the web of interdependence” within his company’s technology environment as a top goal for 2022. “I want to understand that mesh better so I can take action and know how to better protect it, ” he says.
Although the complexity of that mesh has been growing for years, Van Horenbeeck says events during the past two years such as SolarWinds and Log4j have reinforced for him the criticality of understanding all the moving parts that make up his company’s technology ecosystem. To that end, Van Horenbeeck has invested in technology to gain a fuller understanding of his own company’s IT environment. And while he acknowledges that getting 100% visibility into vendors’ code is unlikely, he still wants a more detailed understanding of how third parties and vendors interconnect with his company and what data they’re accessing so his team can design security strategies to limit the risks they might present.
3. Get a solid look into the providers’ IT environment
Peter Albert, CISO of the tech company InfluxData has a similar resolution, saying he wants “an understanding of the complete scope of the supply chain.”
He adds: “A lot of people think supply chain might be just the companies you have contracts with, but it’s so much more than that.”
For example, he says he wants to know what vulnerabilities are in the code used by third parties and what open source resources do vendors use that could add risk. To further limit risk, Albert says he wants to implement more monitoring of his SaaS providers to ensure that his company’s data is secure as it passes through the providers’ environments.
“I think there has been almost a fundamental misconception in the industry around third-party providers that they will monitor our data, but what we’re finding is that’s not true,” he explains. “So we have to take some of that responsibility back, and that means gathering from those providers insights into who is accessing our data.” Albert’s not wasting time on this resolution. An employee has built a prototype for ingesting SaaS provider security logs while other staffers are building models to detect anomalies that could indicate security threats.
4. Do the common uncommonly well
As Booz Allen Hamilton CISO Ashley Devoto looks forward to emerging threats and a changing cybersecurity landscape, she also wants “to stay laser-focused on the fundamentals as we seek to strengthen our overall cyber resilience.”
More specifically, she wants to ensure she has a strong program for quickly identifying and remediating vulnerabilities; good processes for efficiently implementing patches; robust employee awareness and training; and full visibility across the IT environment.
She professes her belief in the business adage that equates success to doing the common uncommonly well. “That mantra really resonates with me,” she says, citing it as part of the inspiration for her resolution. Statistics inspired Devoto’s 2022 aspirations, too. “Hackers will continue to take the path of least resistance, so we have to be relentless on the basics. And by exceling at the basics, we’ll be postured to repel cyberattacks with speed and agility.”
Moreover, Devoto plans to develop metrics and key performance indicators to measure her team’s effectiveness and improvement on handling such fundamentals. Niel Harper, CISO and data privacy officer at the United Nations Office for Project Services (UNOPS), lists a similar resolution for the year and offers a granular look at how he’s going to achieve that objective.
He says he wants to focus more energy and resources on privacy and data; refine and enhance the control framework around third-party risk management; improve his enterprise’s protection against ransomware; and continue promoting the importance of email security “to every business leader I meet.”
5. Push security further left
To help ensure she and her team get the security basics right, Devoto plans to embed security requirements earlier into planning and development processes. “I am prioritizing expanding our suite of preventive controls and capabilities as we take the fight ‘upstream’ to thwart cyberattacks,” she says, adding that she wants to get “left of boom” with this drive.
She’s not alone in her ambition to shift left in 2022. The 2021 Global CISO Report from software company Dynatrace found that 89% of the 700 CISOs surveyed said that microservices, containers, and Kubernetes have created application security blind spots, and 71% said they’re not fully confident that code is vulnerability-free before going live. Moreover, 85% of the surveyed security leaders said they believe “application and devops teams must take more responsibility for vulnerability management to protect the organization effectively.”
6. Start retiring the reliance on passwords
Grant Gibson wants this year to be the year he gets his company further way from using passwords for access—or at least further away from using passwords as the main form of authentication. He sees the move as a critical play for improving security.
“We’ve been dealing with passwords for 40 years and the one consistent theme is that they get hacked,” says Gibson, CISO for CIBR, a cybersecurity think tank. That’s to be expected, he says. People still use the same password for multiple accounts, they pick easy ones to make sure they can remember them, and they write them down or store them in electronic files when systems require complex passwords—despite frequent warnings against such practices.
“Passwords are just out of control,” he adds, pointing out that recent high-profile attacks involved compromised passwords. Gibson says he’s working to implement stronger identity and access management (IAM) controls that are easier for people to use yet are more secure for the enterprise, acknowledging that there’s no single solution that will work best for all organizations.
Right now he’s implementing multifactor authentication within his own organization so that passwords aren’t the only way to authenticate users, and he’s exploring how to eliminate passwords altogether in the future. “The goal is to get to passwordless,” he says. “In the short term that means that passwords can’t be the only form of authentication. But for the long term the goal really is to be completely passwordless.”
7. Boost agility
Ariel Weintraub’s resolution for this year is to “be more agile.”
“Cybersecurity programs are most successful when they demonstrate resilience. The last few years have shown us that threat actors constantly evolve their tactics, looking for creative ways to circumvent conventional controls and approaches. The ability to be resilient is based on the ability to quickly pivot priorities,” says Weintraub, head of enterprise cybersecurity for MassMutual and board director for One In Tech, a foundation within the IT governance association ISACA.
She’s already taking action. “We’re moving from an annual cycle of prioritizing projects and initiatives to a continuous assessment leveraging our daily threat and vulnerability assessment capability that allows us to identify, measure, and respond to emerging threats and risks,” she explains. “This means not being afraid to pause or end certain initiatives and pivoting to new ones in response to the latest tactics and techniques. Ransomware operators aren’t afraid to take down their whole infrastructure, rebrand, and start fresh. In the same spirit, we’re going to be agile in the way we deliver new capabilities so that it doesn’t take years to respond to new threats. It’s not a failure to stop a project when it’s no longer relevant.”
8. Build better partnerships with the businesses
Tightening security’s partnership with the business is Van Horenbeeck’s other top resolution for this year. “We’ve been doing this for a while, but this is this year when it really becomes the prime thing we internalize,” he says, explaining that tightening security’s alignment with business will help both teams advance their goals.
Here’s why: Van Horenbeeck says many security departments, including his own, have become highly proficient at identifying and addressing top-level risks within their organizations. That, though, doesn’t influence day-to-day work habits and business processes that often introduce lower-level security risks and stymie efforts to build a security-minded corporate culture.
A stronger partnership with the business will help security identify workflows that create risks. It will also help security understand why their business colleagues value those processes. That combination, along with the better relationships fostered by partnership, should help security and the business work together to find successful solutions. “It’s really about focusing more on where our partners are going rather than telling them what to do,” Van Horenbeeck says.
9. Take care of the team
Tony Velleca, CISO of UST and CEO of CyberProof, a UST company, plans to pay more attention to his workers this year.
Velleca’s right to be concerned: Some 84% of security professionals said they’re feeling burned out, according to the December 2021 State of Access study from software firm 1Password. Velleca says he’s looking for ways to not only retain talent but to motivate and energize them as the COVID-induced uncertainty and disruption drags on.
Like executives at many other companies, Velleca had a mostly on-site workforce that moved to remote overnight nearly two years ago. He acknowledges that the virtual environment has some benefits but at the cost of the face-to-face interactions that help people bond. Velleca says his company plans to bring people back to the office with options to work remotely, a move he hopes will help re-energize people.
He also plans to focus on innovative projects to boost workers’ excitement, and he’s deploying more automation to shift workers away from repetitive tasks to more engaging higher-level assignments.
10. Inspire new talent
Lena Smart, CISO of MongoDB, wants to help address security’s storied talent shortage, resolving in 2022 to recruit people to the profession.
“I plan to continue playing an active role in mentoring and supporting the outside infosec community,” Smart says. She herself took an unconventional path into the field. She left school at 16 and skipped a university education. She got into computers and networking thanks to her own interest in the space and some encouraging employers.
Now, she says, “As a CISO I often hear from my peers how difficult it is to find talent. While it certainly is competitive to fill infosec roles, we’ve seen really positive results from finding people with the right characteristics and helping them learn the technical ins and outs.”
11. Clean house
In typical New Year’s fashion, Brennan P. Baybeck, vice president and CISO of Customer Services at Oracle, is planning to clear out superfluous tools and investments that aren’t providing value as well as identifying underutilized capabilities.
“I think now is a good time to take stock and see what’s available to us, what we had prior to the pandemic, things we piled on, where we have redundancies, and eliminate those processes and technologies that aren’t in line with the strategy,” he says. Baybeck says he plans to take this approach not only with technologies and processes within his security operations but with his staff, too. He says that he, like most others, has had turnover on his team. And he has seen shifts in the skills he needs on staff.
So, he’s taking time to re-evaluate positions to identify which professionals need what new skills and which roles need to evolve. For example, he decided to morph some vacant compliance-focused positions into engineering and developer jobs focused on delivering more automation, controls, and devsecops work—all of which better meet the company’s current and future security needs than the compliance roles.
12. Prepare people for the future
Jenai Marinkovic is also looking ahead, saying her main professional resolution for 2022 is to get security people ready for the future world. She sees three main areas to address. First, she wants to get security folks ready to work and engage in intelligent ecosystems (for example, a metaverse environment) and to secure them. That means understanding how to interact, communicate, and present in this new world; it also means understanding how both the technology and the people using it operate so security concerns can be anticipated and addressed.
Second, she wants help them be experts in humans—that means being great at communication and collaboration, working as part of a team, and understanding user-centered design. And third, she wants security professionals to become more focused on business continuity, “to be able to decompose business processes and the systems that support them, because becoming really good at doing that is going to be key for surviving [a cyber incident].”
Marinkovic has started training teams on principle components within those three broad areas of need through her role providing virtual CISO services through Tiro Security; as executive director of the GRC for Intelligent Ecosystems (GRCIE), a nonprofit corporation that provides mentorship, mental support, and educational enrichment for women, BIPOC and veterans throughout the United States; and as a member of ISACA’s Emerging Trends Working Group.
“The goal,” she adds, “is to get our people ready for a future that is already here.”
As the premier Managed Service Provider (MSP) of the Midwest, it’s our duty to keep businesses like yours protected around the clock with the best cyber defense available. As we dive into 2022, is your business making informed decisions and taking action to improve your SMB’s current security posture? CISOs around the globe are dedicating this year to strengthening their cyber security strategies. It’s a good idea to do the same in order to protect your business and your employees in the new year!
Curious how your workplace will benefit from Managed Cyber Security services from Computers Nationwide? We’d love to help!