3 Cybersecurity Goals for CISOs - Security Boulevard

3 Cybersecurity Goals for CISOs

If 2020 has taught us anything, it’s that anything can happen. Honestly, how many of us had, “I will do my best to avoid a global pandemic,” as a New Year’s resolution for 2020?

That said, the chances that 2021 will be even more unpredictable are slim. So, we might as well indulge in setting some solid, achievable cybersecurity goals for 2021. Let’s dive in!

DevOps Experience

Stay Vigilant About WFH Cybersecurity Policy

Working from home (WFH) was the standard for the vast majority of companies throughout 2020. The situation will likely remain the same for the better part of 2021.

But as we learned in 2020, remote staff makes for a very messy virtual environment that introduces far too many potential attack vectors. These include:

  • Previously airtight VPNs need to be accessed from all over the place, sometimes from private devices that don’t even use the most basic antivirus software.
  • New, non-vetted software is introduced in spades because it helps people more effectively collaborate remotely.
  • Fresh, Zoom-interviewed-and-onboarded employees are thrown into this ecosystem without proper cybersecurity training.

And the list goes on.

Fortunately, it does not have to be this way. A comprehensive WFH cybersecurity policy, and its unwavering enforcement, can put a stop to such behavior and allow your organization to operate smoothly, remote-first, without unnecessary risks.

Your policy should cover topics such as:

  • Compliance adherence
  • Access control and level-sensitive multi-factor authentication
  • Security infrastructure (security software, updates, maintenance, etc.)
  • Vendor vetting standards and practices
  • Employee onboarding processes
  • Employee education and training processes
  • Processes and practices in case of threats and breaches
  • Clearly defined roles and responsibilities

It’s important to reiterate that it’s not enough to merely come up with a good WHF cybersecurity policy – it has to be enforced religiously, and updated regularly, if you discover potentially risky behavior that is not covered.

Provide Continuous Education and Training

Early in 2020, CybSafe published their analysis of the 2017-2019 data made public by the Information Commissioner’s Office, the UK Government’s public body that deals with data protection, GDPR, PECR and more. They discovered that nine out of 10 data breaches in that period could be attributed to human error, in one way or another, as opposed to software or hardware vulnerabilities.

In other words, cybersecurity starts with the people in your company. Unless they’re aware of the potential risks – and the proper behavior to mitigate those risks – the strength and sophistication of your security infrastructure doesn’t matter.

That’s why continuous staff education and training must continue to be a priority in 2021, especially considering the complex WFH ecosystem your company has probably adopted. This means regular cybersecurity awareness webinars, team meetings and briefings, individual talks, phishing simulations and introductions to new concepts such as voice phishing, for example.

This means not merely reading a prepared script once or twice and hoping that some of it sticks, but continuously evaluating your employees’ knowledge and awareness, as well as updating your training to best respond to new threats.

Stay On Top of Your Supply Chain

A huge contributor to the increased complexity of remote work arrangements is the software supply chain. New devices used to access your company’s network and new software introduced to help people do their work can be rife with vulnerabilities. It’s your job to make sure they don’t pose an actual threat.

For one, all new software introduced needs to be vetted rigorously before it’s allowed to be included in your company’s stack. That’s especially true if users expect to use it in a way that could expose your sensitive data, or create a new point of access to your secure network.

In the work-from-home reality, your supply chain will expand in terms of hardware, as well, starting from your employees’ private devices. Namely, because private devices are often not well-secured enough to be given access to your networks. Even something as inconspicuous as a webcam can be a potential threat vector that can be exploited by malicious actors.

In addition to these three goals, you could add another: I will not let my guard down as people start returning to the office. The chances are that many companies will welcome their employees’ return a bit too exuberantly, and ease up on the new measures and practices that they adopted during WFH.

You’ll do well to avoid this. This new vigilance should be a standard for years to come. After all, why wouldn’t you make security a primary goal?

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Natasha Lane

Natasha is a web designer, Java newbie, lady of a keyboard and one hell of a tech geek. Her expertise could be summed up in IT, digital marketing and business-related topics. Her interests are, on the other hand, wide and ever-evolving. Natasha is always happy to collaborate with awesome blogs and share her knowledge about IT, digital marketing and technology trends via creating high-quality content.

natasha-lane has 5 posts and counting.See all posts by natasha-lane