CISOs new year’s resolutions for 2016
2015 has been an eventful year for cybersecurity, with substantial data breaches impacting everything from niche businesses to major government institutions, communication networks and children’s toys.
“Breaches are not going away any time soon,” said Tim Erlin, director of IT security and risk strategy for Portland, OR-based Tripwire. “We have seen massive changes in the breach landscape over the last year, and chief information security officers should anticipate escalating threats in 2016. There’s zero chance we’ll escape the next year without significant compromises. Every organization needs to step up their cybersecurity programs. You won’t be able to improve your security posture without significant effort, and doing nothing, doesn’t count as preparedness.”
A new year brings new opportunities for improvement, according to Erlin. He recommends CISOs make the following security resolutions in 2016:
- Build a comprehensive breach response plan before you need it. If you don’t have a well-established, well-socialized plan for what to do after a breach is discovered, now is the time to develop one.
- If you have a breach plan available, now is the time to test it. Run a simulation or use another methodology to test and review that plan. This is especially valuable if the breach response plan is old enough to need a revision.
- Take your general counsel to lunch and talk about breach preparedness. When a breach occurs, the legal team needs to be ready to help out and be on your side. Set a date to either get the conversation started or keep the current one going.
- Resolutions often slide, but in 2016 stick to them and get ahead of compliance. Policy and regulatory compliance aren’t exciting, but they can be costly and painful if neglected.
“It’s imperative that CISOs start thinking about the cost of doing business securely,” noted Chris Conacher, security analyst for Tripwire. “This includes tool costs and training the right people, as well as the cost of adding the appropriate checks and balances to existing business processes. 2016 needs to be the year where security becomes a fully integrated business process, not just an afterthought.”