A CISO’s Holiday Wishlist
Heading into the holidays, what tops a chief information security officer's (CISO) wishlist for 2019?
It's that time of the year again. Security practitioners are just like the rest of us; they’re reflecting back on the past year, asking what worked, what didn’t, making lists, and setting expectations for the New Year. They’re also deciding where to divert funds and to dedicate resources over the next twelve months.
What tools, strategies, and products can help a CISO best prepare for the oncoming year? The needs change depending on the CISO but here are a few gifts a CISO probably wouldn’t mind finding their way into his or her stocking this holiday season:
More skilled defenders in the security trenches
The cybersecurity talent shortage, marked by the absence of skilled workers in professional information security roles, has been a major challenge for organizations, especially in the last several years. Recent statistics posit there could be as many as 3.5 million unfilled cybersecurity jobs worldwide by 2021.
The gap has been driven by a lack of training opportunities, digital transformation across information security, and a stark increase in cyber attacks and data breaches.
There's reason to be hopeful though. The New York City Economic Development Corporation recently unveiled a $100 million venture, Cyber NYC, aimed at sparking innovation. In early 2019 the federal government is set to launch a new initiative, the Federal Cyber Reskilling Academy, to train federal employees to fill cyber positions. Relief is coming. Hopefully for CISOs, it’s sooner than later.
To get the board on board
It's probably safe to say this is on a CISO's wishlist every year but even more so following a wave of data misuse incidents at Equifax, Facebook, and Google. Cybersecurity is front-page news. If an executive board doesn’t prioritize security, it can open an organization up to risk, which can affect revenue and the company’s performance in the long run. Getting the executive board on board with cybersecurity, the importance of identifying vulnerabilities, patch management, and assessing risk is crucial for a CISO. Getting the green light on a cybersecurity strategy from the board could be the CISO’s greatest gift of all; it could also save the company from a lot of headaches down the road.
A better way to fight phishing
65 percent of CISOs surveyed by the Ponemon Institute earlier this year were worried about employees falling for a phishing scam. Phishing, like ransomware, data leaks, and social engineering scams, remain a constant concern for CISOs. Training and simulation campaigns that mimic phishing attacks can help but aren’t always effective. To truly combat the problem it may be better to opt for a layered defense. Orgs should still implement awareness training to recognize phishing but also ensure two factor authentication is in place on sensitive accounts, that spam filters are enabled, and that employees have a way to report and ask questions about phishing emails.
A way to be ready for tomorrow's data protection challenges
The deadline for General Data Protection Regulation (GDPR) compliance has come and gone but it’s maintaining compliance year in and year out that’s the real challenge. If your organization has processes and procedures in place to achieve compliance, will those efforts work year over year? Migration to cloud computing can complicate this for CISOs. Will all of the data you oversee fully comply? Any company that processes data on EU citizens or residents needs to ensure they're on the right side of GDPR or potentially face heavy fines. It's not just GDPR. U.S. states of late have passed legislation to extend data breach notification rules to follow in GDPR’s footsteps. And it’s only going to continue. California passed a sweeping consumer privacy act this summer that could ultimately serve as the blueprint for the rest of the U.S. when it comes to data privacy. Organizations that fail to protect consumer data could face some repercussions stemming from these new laws designed to protect data and consumer privacy.