If 2020 taught us anything, it’s that nothing upends well-intentioned New Year’s resolutions quite like a global pandemic. In an unprecedented year for the world at large, IT security faced its own intense challenges securing a workplace landscape that was evolving at terminal velocity. By the end of Q1, annual strategic priorities fell by the wayside, replaced by a cycle of reaction and adaptation for all, from remote employees to company leadership. As we launch into 2021 determined to address the eye opening cyber realities of last year, CISOs worldwide are ready to implement new security measures with focus and intentionality. Whether departmental resolution or org-wide goals, wise IT security strategy for the new year will center around preparing to rise to every imaginable occasion, while defending against the unimaginable ones.  

5 Key CISO Security Resolutions for 2021

 
1. Defend Proactively for WHEN
One of the biggest current risks to IT security is also one of our blog’s frequent topics—ransomware. Industry-leading reports indicate that 44% of cyberattacks in 2020 involved ransomware or another form of malware, 86% were financially motivated, and 37% made use of stolen credentials to bypass serverwide protections. You can’t always anticipate malware attacks, but organizations will benefit from investing in proactive malware detection and purging, as well as setting cyber resilient recovery plans in stone. The other aspect of proactive defense lies in mindset—for your team to think about a cyberattack not as if, but when. This will create a new level of cyber awareness, a healthy sense of defensive urgency, and the human firewall necessary to thwart a real-world attack.  
2. “Disrupt” with the Basics
Among IT and organizational leaders, we all run the risk of becoming distracted by the latest iteration of cybercrime, taking our eye of the ball when it comes to everyday security essentials, where the vast majority of vulnerability lies. As BAI Security’s President/CEO Michael Bruck sees it, security basics are CISOs’ greatest area of opportunity in the new year:

The development of new hard- and software in 2021 will make plenty of New Year lists, but we’d like to avoid the distraction of those by encouraging folks to consider this: Whatever the latest and greatest invention, it won’t matter if organizations continue to fail on the basics of IT security. The vast majority of companies and institutions are falling short with the three areas most critical to security posture: proper endpoint protection, vulnerability/patch management, and social engineering. In other words, if your network perimeter is continually permeable, then some cool new multi-factor authentication isn’t going to help. And while we’d like to say we’re recommending folks get ‘back to basics,’ the truth is, most organizations have never done these basics well. So, we’d love to see the 2021 ‘disruption’ be attention to IT security basics like never before.

So, from in-house training and everyday authentication, to strategic budgeting and formal accountability measures, make sure this year’s priorities and practices keep the security basics in full view for all personnel.  
3. Address Permanent Remote Access
As COVID-19 safety continues to be paramount, and organizations make permanent shifts in the way they do business, the workforce will likely remain highly remote or blended in nature well beyond pandemic recovery. When quarantine was first implemented, the VPN was a popular solution to deal with employees exposing company data to their unsecured home networks and devices, but most VPNs are simply unequipped to deal with the required bandwidth. CISOs should be looking at the increasingly relevant future of remote work—how might you expand your company network to securely deal with access across the wide array of endpoints created by a remote workforce and the IoT (Internet of Things)?  
4. Catch Phishing Scams
One of the IT security world’s most dangerous actors is also one of its most common, and disrupting the basics doesn’t mean ignoring your garden-variety cyberattacks. In 2020, more than 20% of known threats routinely launched phishing attacks against their targets—70% to collect business credentials, 50% after personal data. The business email compromise (BEC) scam loomed large, catching employees unaware with emails that looked legitimate but contained telling typos, strange links, and other unprecedented correspondences. Leadership cannot underestimate phishing scams in the coming year. It’s critical to keep your employees abreast of current scams while staying informed yourself; when in doubt, contact your IT team, and remember that even the most trustworthy, mundane-looking emails may not be what they appear.  
5. Manage Your Supply Chain
The discerning CISO won’t overlook persistent issues like application security, a particularly egregious potential offender for organization-wide IT security. Forrester reports that weaknesses in appsec and other software vulnerabilities remain the most common external attack method, usually due to inadequate firewalls or lack of key compliance elements. And that’s not the only reason appsec is a hot topic going into 2021. One of 2020’s major headlines in IT security came about in December in the form of the SolarWinds breach, a textbook example of a supply chain hacking disaster. To avoid making the front page, CISOs must put time and effort into bolstering vulnerability management, selecting best-of-breed assessment tools, and choosing the right IT audit provider—your assets are worth it.  

Resolve To Do Better

Following 2020, we wouldn’t dare to speculate on what 2021 will bring, but we’re here to make sure you’re prepared for the best- and worst-case scenarios. Unsure of where to begin? Start with an accurate picture—a cohesive and comprehensive portrait of your security posture and risk status with our IT Security Assessment. With fully customizable options, consistently proven methodology, and cutting-edge execution of industry best practices as defined by the Information Systems Audit and Control Association (ISACA), your assessment and resulting security will be second to none. Kick off the new year right, and contact us today.