CISO Spotlight: Security Goals and Objectives for 2019
February 7, 2019
I recently joined our ShadowTalk podcast to discuss 2019 planning and prioritization. If you listen, you will notice that I’m loath to refer to January planning as “New Year’s resolutions” since you know what happens to those resolutions. Three weeks into the month, they have faded into your distance memory. Quick question though, if you eat an entire box of Girl Scout Thin Mint cookies in one afternoon, does that break any of your New Year’s resolutions? I’m asking for a friend. Healthy eating failures aside, here are some of the 2019 CISO topics that are important for us.
Strategic planning should be going on all year long
It isn’t an exercise we do at the last quarter and first quarter of a year. Continuous strategic planning is the name of the game. Our risk management process feeds into our strategic planning on a quarterly basis.
Establishing a security and risk playbook for the year
This will help keep your security program on track. How many alerts, intrusions, audits does it take to get your program off track? Not very many. If you build out your calendar for the year and then hold yourself and your team accountable for sticking to it, you are more likely to have success in your program. Even if you are only able to stick to 70% of your calendar, you will still be in a better place than if you didn’t establish the framework. Here are some of the items I like to build into our annual security and risk playbook:
- Audit/compliance timelines (e.g.: ISO27001, SOC2, PCI DSS)
- Internal and external assessment work (penetration tests, purple team exercises)
- Security product/service renewal dates
- Dedicated employee development time
- Annual training dates
- Employee anniversaries
- Significant information technology investments that require security input
- Notable dates for the business (product launches, board meetings)
- Quarterly risk committee meetings
Avoiding “Expense in Depth”
This phrase has become a mantra for me ever since I wrote about it while at Forrester Research back in 2012. I define Expense in Depth as: the multilayered approach to ensuring minimal return on investment. See “Expense In Depth And The Trouble With The Tribbles” for more details. Here is how we avoid Expense in Depth:
- Ensure that we are aware of all the capabilities in our Security, IT, and DevOps stacks
- Maximize these capabilities; why pay for something we aren’t using, like a gym membership purchased as a New Year’s resolution?
- Don’t invest in any new capabilities unless we are confident that we don’t already possess something in house that could address our needs
- Pay for professional services to help with implementations and pay for training to make sure our staff can take advantage of our investments
- Track and score all of our investments and make sure they are addressing our needs. If they aren’t, get rid of them at renewal time and repurpose those funds
“Eating our own BBQ”
This is my analogy for “eating your own dog food,” or “drinking our own champagne” as Wendy Nather taught me. BBQ sounds much better to me than dog food. Our team has a great service with SearchLight, and we need to take full advantage of it. We also have a great tool with ShadowSearch, which we use for external enrichment of our investigations. It doesn’t cost me anything to use them, and I get great visibility into my external digital risks.
Figure 1: Using Shadow Search to track mentions of Digital Shadows on criminal forums, dark web sites and messaging applications
Hyperfocusing on process/program improvements
If we didn’t spend another dollar on technology, we would be ok for 2019? Of course, I do have new technology that will be added to the stack this year, but I want to focus on improving the program. Some of the key focus areas for me:
- Mature incident detection and response. Make sure we evolve our after action reviews and feed the results into our risk management and continuous strategic planning processes
- Improve 3rd party risk management. Continue to “eat our own BBQ” and use SearchLight and Shadow Search to monitor our 3rd party providers for risks to Digital Shadows
- Mature change control and application security in a cloud native DevOps environment
- Build a security culture that is transparent and results in positive user experiences for our employees. Never victim blame
Investing in the team
I have no illusions that employees will be working at Digital Shadows forever. Losing staff is inevitable, people move on; however, it is our job to foster an environment that retains staff for as long as possible. I want to understand our team members’ goals and aspiration and figure out a way to help them achieve them. Here are some ways in which we do that with our team:
- Setting dedicated time aside for career development and planning. We need to make sure we spend time away from our SIEM alerts, risk assessments and security awareness training to focus on the goals of our team members. Building this into the annual playbook is vital
- Providing our staff annual training that aligns with their goals as well as the needs of Digital Shadows. I prefer to get people offsite to a dedicated class where they can disconnect from their day jobs and focus on learning. We then have them brief the rest of the team on what they learned and look for ways to implement it into our program
- Foster a flexible work environment. So long as our work is accomplished, we are very accommodating to our team. Working remotely 2-3 days a week is basically a requirement. Taking time away for family responsibilities is encouraged
I’m sure I won’t meet all of the goals I have listed here; however, just the act of capturing them and building them into our 2019 playbook sets us up for success. Each quarter we will revisit them and adjust as needed. If you have some suggestions on your strategic planning, I’d love to hear from you.
For more on my CISO 2019 plans, listen to the full episode of ShadowTalk: CISO Spotlight: Security Goals and Objectives for 2019.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.