Last year was particularly challenging for security professionals for several reasons. From the surge in cyber-attacks during the pandemic to the growing cybersecurity skills shortage, security professionals were spread thin and CISOs had to act strategically to maximize resources and protect their organizations. As we begin a new year, security leaders need to think about which initiatives they need to prioritize in their 2021 program and essentially pull together a ‘cybersecurity wish-list’ for the coming year.
After speaking with a few CISOs and posing these questions, below is a recap of the most common responses we received about what is at the top of their 2021 cybersecurity wish-lists.
1. Depend Less on Gut Feelings and Become More Data-driven
Security leaders are frustrated with their inability to accurately measure and understand their enterprise’s attack surface. As a result, many cybersecurity decisions are based on incomplete data. Due to this obstacle, CISOs worry about unseen cyber-risks and vulnerabilities and struggle with how they can get better visibility. Forward-looking CISOs want a system that can help them be more data-driven and quantify cybersecurity-related risks. This is worth the investment for enterprises because more accurate data enables security teams to have better intelligence, which leads to smarter, more well-informed business decisions.
2. Use Resources More Effectively
Many security teams are spending too much time and effort on items and actions that will not move the needle for their organization’s cybersecurity posture. Instead, security teams should focus on proactively tackling cybersecurity issues such as unpatched vulnerabilities, misconfigurations, password hygiene, and other risk items in a timely manner. In addition, the budget can get eaten up by legacy tools that may not be effective. Planning for 2021, CISOs want to be able to see where their resource utilization is less than optimum and understand what they can change to become more efficient. They also want to know how they can deploy their resources - both people and budget - more effectively. This is achieved by prioritizing risk instead of chasing items that will not have an impact.
3. Get Visibility into the Overall Cybersecurity Posture
Cloudification and consumerization of IT has led to an explosion in the volume of different enterprise assets. Therefore, creating and maintaining a comprehensive and up-to-date inventory of IT assets has become much more complex. It’s paramount for CISOs to have a bird's eye view of the relative criticality of assets from a cyber-risk perspective, but it’s not always easy. Cybersecurity posture visibility should be broken down and available from a higher organization level to a business unit level. Security teams need to have visibility right down to the individual risk owner level.
Furthermore, CISOs want this real-time IT asset inventory integrated into a system that continuously discovers and prioritizes vulnerabilities based on risk. These security tools also need to provide a way to map these vulnerabilities and risk items at the endpoint and network-level to the business units and risk owners. By monitoring this trifecta of inventory, vulnerability management, and business risk, organizations promote better understanding and ownership of cyber-risk by individuals outside the security and IT teams.
Fostering a Security-First Company Culture
In addition to the top three wish-list items discussed above, CISOs agreed on other important components of their 2021 security programs, which included ensuring that they have the right people on their team and facilitating risk-ownership across the whole organization. All these initiatives are key for having a security-first company culture that is prepared for tomorrow’s cyber-threats.