From the Desk of a CISO: The Five Core 2020 Cybersecurity Resolutions

Over the recent years, cybersecurity, and certainly the role of the CISO, have evolved – in many ways, for the better. Thanks in large part to the rapid digitization of business, the explosion of data and data sharing across the enterprise, and the move to cloud security and mobile, the nature of information security has to change. And it has to change quickly.

At Code42, as we work to provide an insider threat detection, investigation and response solution to organizations that need to securely share data and collaborate to succeed at their work, we find ourselves in the center of it all. As 2020 is taking off, it’s a perfect time for security teams to reflect on what areas they can improve on when it comes to providing the most effective security to their organizations. As I’ve considered the state of enterprise security over the past few weeks, I’ve developed my list of 2020 resolutions. To be sure, some organizations, including Code42, are doing these things already. Yet there’s always room for improvement – and in security, we all need to work together toward the constant goal of improvement. 

Here are the areas that are especially important for businesses to focus on throughout 2020 and, as necessary, resolve themselves to improve.

Make sure security is a business driver

With the increased competitiveness of today’s business environment and the drive to digital transformation, cybersecurity can no longer be viewed as a reason not to move a business forward. The 2019 Harvey Nash / KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. Security teams need to support, not hinder, this business change.

One way security teams can improve is to better understand and appreciate how their company drives revenue and ensure they are making smart decisions to support its specific business model. What does this mean in practice? Consider how a manufacturer will have a different risk posture than a healthcare provider and how a healthcare provider’s risk posture will also be quite different from that of a trucking company or software provider. It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. 

At Code42, our focus is on helping to secure this faster world of collaboration, which fundamentally enables security to be at the cornerstone of driving the business forward. We believe in supporting all forms of collaboration and innovation. We also believe that collaboration needs to be secure.

“ It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. ”

Embed security throughout the business

In many organizations, it’s still common for new applications, services and business decisions to be made without the security team being part of the decision-making process. Unfortunately, when security is brought in at the eleventh hour and finds a number of risks that must be resolved, it causes considerable re-work, increases costs to remediate and unacceptably slows down the business.

Further, the more rapidly businesses digitize, the more aggressively they add new product features, change business models and enter new markets and geographies (which come with their own geopolitical risks). As such, security leadership needs to be a part of discussions around planning and implementation from the beginning.

Having security embedded early saves time, costs and lots of headaches. To do this requires that security is built into the development and business decision-making process. In practice, this means that security engineers are integrated into the software lifecycle process – helping to write code, fix vulnerabilities, or address developers’ needs with consistent security solutions. (I advocated for security to be ingrained in these types of activities in a recent blog.) Or it means that your security org helps to vet a product or solution before it’s acquired. Or it means that the board asks the CISO for a security risk analysis before entering new geographies and business segments.

To stay competitive, however, it’s just not enough to make sure security is part of the process – security needs to be as effective and efficient as possible. Which brings us to our next resolution.

Automate all of the things

Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. Automating security means mundane tasks can be handled without human interaction, freeing up security engineers for more important, strategic, value-added work.

Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. Automation can help ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

“ Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. ”

We are always working on improving our processes in these areas, i.e., areas that can be automated, including software testing, vulnerability management, malware incident response, and more. Any mundane task is a candidate for automation. For instance, when vulnerabilities are identified from an automated scan, it’s possible (sometimes) to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.

If there’s an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

The move to DevOps helps with security automation. Some call this DevSecOps. It doesn’t matter what you call it, but what does matters is that security processes are an automated part of the development lifecycle. It matters that the security person is part of the cycle.

Focus on the human side of security

For years, we have focused on external actors and perimeter defense. We now need to shift the focus to include internal threats. We know that insiders have a considerable impact on an organization’s security. Yet, many organizations expend too much focus on external threats and not enough on internal threats. It’s time organizations appropriately reallocate their focus.

“ Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. ”

How do insiders create risk? Let me count the ways… For one, some users sidestep company-provided file sharing and collaboration tools for tools of their own choice. This creates risk. Our 2019 Data Exposure Report found that 31% of business decision-makers use social media platforms, e.g., Twitter, Facebook, LinkedIn, to share company data, while 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues. Another way? Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. This shows that it’s not just staff, but also senior leaders that can make poor data security decisions. Have you ever emailed or shared a document with the wrong person? It’s not difficult to do. Though unintentional, the end result is still a risk to data.

Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach.

Organizations need to dedicate more time to identifying insider threats, deciding what monitoring to put in place and optimizing how they detect and respond when events occur. Importantly, we have to do this without losing sight of our main focus to enable the business to collaborate securely.

“ Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach. ”

Build a culture of security

No program or software solution will prevent all data from being at risk of exfiltration. It’s the security team’s job to educate employees on security risks and help foster an appropriate security culture.

What does it mean to build a good security culture? Consider security culture to be how those working within the organization act when it comes to data security. When there is a healthy security culture, everyone thinks before they click on links, for instance. If they have security questions, they’ll feel free to reach out to the security organization for answers. When they want to use a new product or service, or work in a new way, they will ask security about the risks. This is what good security culture looks like in practice.

Good security culture is actually a pillar of an effective insider threat program. Consider how many people in your organization would “say something if they see something,” to take a line from homeland security. Most staff, if they see a peer sharing a document out of policy or in an unsecure way, won’t say anything at all. It’s because people aren’t taught how to say something or help co-workers do the right thing. An effective security culture helps change that for the better.

While every organization is different, some organizations may be further along with these resolutions than others. However, with the rising insider threat and the increased pace of digital transformation, all organizations will benefit by making sure they are on track to continuously improve themselves.