CISOs have always had a very tough job, but with spikes in virtually every kind of attack, new AI-related risks and a shifting regulatory environment, keeping businesses safe and compliant is only getting more difficult. While there is no way to anticipate every new threat, there are some data-backed ways to limit risk and build lasting resilience against attacks.
Here are five key commitments that CISOs should consider making this year to improve their cybersecurity posture:
Empower the entire workforce with cyber capabilities
Cybersecurity is not just the responsibility of the cyber team; the whole workforce needs to be adequately prepared for attacks. CISOs and other security leaders should provide opportunities for employees throughout the organization — regardless of role or department — to upskill their cyber capabilities, understand their shortcomings and improve their skill sets. Executives gather data to understand financial performance to fuel decisions — cyber leaders must do the same when it comes to cyber capabilities.
With 80% of cyber leaders uncertain about their teams’ readiness to respond to future attacks, leaders should strive to understand cyber strengths and weaknesses to make more informed decisions and investments in cybersecurity solutions. Employees across the workforce should have access to cyber exercises relevant to their individual responsibilities, an approach that equips leadership with insights into skills gaps. Armed with this data, leaders can be confident that their teams have the knowledge, skills and judgment to respond effectively to cyber threats.
Eradicate blame culture, recognize vigilance
Employees who take part in their organization’s cybersecurity drills or demonstrate security best practices are assets to cyber leaders. It’s important to build a culture that recognizes their diligence whenever possible. At a time when many cybersecurity professionals are considering leaving the industry due to stress, it’s important that employees believe their contributions to cybersecurity are valued. Recognition can take various forms, whether it’s praise during team meetings, awards, or other incentives. Acknowledging employees' dedication to cybersecurity initiatives motivates them to continue this level of work and positive behavior.
People should also be encouraged to speak up and do the right thing, including escalating threats or mistakes, without fear of losing their jobs. Cyber defense is a team sport, and there is no room for the blame game. Organizations that promote open communication about security concerns — even when an error has occurred — help raise awareness of potential threats and quickly address any security issues, ultimately limiting risk in the long run.
Double down on secure development best practices
Developers are often tasked with building line-of-business applications at pace without focusing on secure coding best practices. Given the inherent risks to organizations, from vulnerable code to the cost of correcting mistakes later in the cycle, requiring developers to upskill and prove coding efficacy should be mandatory. Security leaders should partner with engineering leaders to implement a secure coding “driving license” check for all existing and to-be-hired developers. Especially in light of developers' increased adoption of AI, it can potentially lead to unexpected business risks and leave holes in their cyber resilience to leave the door open for exploitation.
Prepare for after-incident response
It's important to build a team’s cyber capabilities across the MITRE ATT&CK framework. Unfortunately, we often see companies place too much emphasis on preventing attacks, and not enough on what happens after an attack occurs. With breaches more or less inevitable, organizations must implement training and resources to strengthen the cyber resilience of the workforce before, during and especially after an incident.
In an atmosphere that encourages too much time, money and energy to be spent on prevention, security leaders must shift strategies to investing in strategies that empower teams to respond faster and more confidently to emerging threats. By ensuring coverage across all elements of breach prevention and response, you can limit risk and mitigate the impact of a breach. The stronger an organization’s cyber resilience, the better suited they are to prepare for — and respond to — a cyber threat. Just like any skill, cyber leaders should continuously exercise their employees against realistic and emerging threat scenarios.
It’s about preparing, not predicting
We can't predict the threats and vulnerabilities ahead, but security teams and employees can exercise their skills and stay vigilant to ensure that the impact and cost of these attacks are limited. It is the responsibility of the CISO and security leaders to ensure organizations are moving beyond awareness and instead equipping all employees with the right tools to build the knowledge, skills and judgment to respond effectively. By incorporating these commitments, organizations can be better prepared to report and mitigate cyber threats, boosting cyber resilience and overall security postures in 2024 and beyond.