With the new year approaching, now is a great time to celebrate the successes (and
failures) of information security leaders and reflect on the challenges these leaders face in 2017. With this we’ve condensed the list to five popular initiatives of cyber security leaders in 2017. After experiencing massive ransom ware attacks, large-scale data breaches and other adverse cybersecurity events of 2016, we anticipate another demanding year.
Recently, we asked security executives how they plan to address cybersecurity in 2017. What lessons did they take from the past year? What do they anticipate are the issues needing the most attention in 2017? Additionally we collaborated with Fortium Partners to gain the perspective of the CIO office.
What we learned from these conversations is a summary of similar initiatives highlighted in 2016 with the addition of a few new priorities.
- Third-party security risk grows as we continue to outsource critical functions and migrate systems to the cloud.
- Assessing third-party risk became a top priority after high-profile data breaches in 2013-2014. Third-party risk management initiatives finally made the project list across many security teams and C-suite leaders in 2015 and 2016 and will continue to improve with additional automation, scope expansion and improved metrics in 2017. Third-party risk management will become a core function of security and compliance operations and move off of the special projects list in 2017.
- Influencing employee behavior and company culture around cyber security is challenging without top-level support and remains a top priority.
- Security awareness training is still a critical component to maintaining policy compliance and information security best practices. Security leaders will continue to sharpen and hone the messages and content to end users throughout 2017, because security is everyone’s role not just the security team. This is a theme the security industry has been focused on for several years. Although the topic is not new, take this as a reminder that user security awareness training is still as important as ever. In our experience, many successful attacks involve human-error. Training is one key mechanism to reduce these errors to an acceptable level of risk.
- Threat actors continue to adapt their tactics faster than we can build or adapt our defenses.
- Hardening the perimeter is an old concept and nearly inapplicable in todays connected landscape. Thus, security leadership is taking the position that all connected devices are untrusted until otherwise vetted. This approach is also driving improvements in third-party risk management where connectivity is often involved between two organizations. There are some promising new solutions in the marketplace that can perform real-time detection and stop questionable network traffic at the door. As the industry continues to improve upon attack prevention we will see the sophistication of attacks evolve . The industry will always be in an arms race to build a better mousetrap as the attackers’ devise methods to subvert the traps over time. In a nutshell, the leadership to whom we speak and our own observations do not see this initiative slowing down, or moving off the top five list in the near term.
- Resources remain slim and do not line up with the demand for effective controls.
- The demand for skilled talent in cyber security has never been greater. We’ve spoken to a couple of solution providers who have a unique take on this by developing training programs that within 1-2 years can develop individuals into effective cyber security analysts. Accelerated training programs, coupled with trusted third party partnerships, provides the best near term solution to meet the demands of today’s security needs. Companies are growing tired of bidding for talent and instead look to partners to augment specific functions of their security operations, governance and compliance efforts.
- Information security remains an afterthought which, in turn, feeds the perception that security is a barrier to innovation and speed to market.
- Reducing release cycle times and speed to market will continue to be top of mind for many CIOs and their business partners. Pressure will continue to build to skip past anything that could slow that process. However, the consequences of failing to catch vulnerabilities are clear, such as: incurring regulatory fines, reputation damage, customer data theft, and the list goes on. Over the next few years there will be emphasis on building security into the software development life cycle (SDLC). The good news is that automated testing and source code analysis tools will continue to mature, enabling incorporation into an organization’s SDLC.
It’s clear that security executives have their work cut out for them. How will they accomplish their objectives? We believe that the answer is simple: better communication. Too often, we observe information security leaders speak a language foreign to executives, board members and peers. The result is predictable. Security leaders experience perception issues connected to a lack of credibility among those in the C-suite. Without the trust and confidence of company executives, information security leaders find themselves swimming upstream with a flimsy paddle.
Make 2017 the year that you build credibility for your program. Speaking the language of business and develop a business story around cyber security program priorities and successes is critically important to maintain credibility. Collaborate closely with the CIO and internal audit/risk management functions to educate management and gain support for critical initiatives. Express your ideas, recommendations, and proposals in ways that engage and energize executives and board members. Use business-focused metrics to tell a compelling story. Focus on process over controls.
Secure Digital Solutions wishes our customers and all business leaders a successful and productive 2017. May you earn the credibility needed to advance your business objectives for the new year!
Contact our team to learn about methods to communicate with executives and board of directors using our MAPP™ (maturity assessment, profile and plan)™ methodology enabled by the cloud-based TrustMAPP® platform.