Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

We asked chief information security officers how they plan to get their infosec departments in shape next year.

Joan Goodchild, Contributing Writer, Contributing Writer

December 30, 2019

11 Min Read

Figure 1:(image by Tierney, via Adobe Stock) 
It's that time of year — a chance to take stock of your accomplishments as a security leader in 2019 and decide your priorities for 2020.
First, let's look back. We know from research that breach rates rose (again) and the cost of one to a business is, on average, $3.92 million — a 1.5% increase over 2018. That's despite more money being thrown at security. According to the Enterprise Strategy Group, 58% of organizations were forecasted to increase cybersecurity spending this year.
But, hey, new year, new decade, right? It's time for a new chapter in your efforts to lead security strategy in a fresh and innovative direction. Maybe there's a new tool or strategy you want to roll out next year. Or a philosophy and process you plan to incorporate. Maybe you just want a happier, healthier outlook for your security team.
We asked CISOs what they are resolving to do in 2020. Here are some of their top goals for the new decade.(image by Tierney, via Adobe Stock)

It's that time of year — a chance to take stock of your accomplishments as a security leader in 2019 and decide your priorities for 2020.

First, let's look back. We know from research that breach rates rose (again) and the cost of one to a business is, on average, $3.92 million — a 1.5% increase over 2018. That's despite more money being thrown at security. According to the Enterprise Strategy Group, 58% of organizations were forecasted to increase cybersecurity spending this year.

But, hey, new year, new decade, right? It's time for a new chapter in your efforts to lead security strategy in a fresh and innovative direction. Maybe there's a new tool or strategy you want to roll out next year. Or a philosophy and process you plan to incorporate. Maybe you just want a happier, healthier outlook for your security team.

We asked CISOs what they are resolving to do in 2020. Here are some of their top goals for the new decade.

Figure 2:(image by phaisarnwong2517, via Adobe Stock) 
Resolve to Make Security a Business Driver
'Infosec is often put in as a reason not to do something or, worse, an inhibiter of great ideas to drive the business forward,' says Jason Haward-Grau, CISO at PAS Global. '2020 is the year that we should really seek to embed the security enablement process into the business. In 2020, I want to ensure infosec is fully embedded into the business value chain.'
'In 2020, CISOs should resolve to understand better how their businesses drive revenue and minimize costs,” says Rick Holland, CISO and vice president of strategy at Digital Shadows.
(Continued on next page)(image by phaisarnwong2517, via Adobe Stock)

Resolve to Make Security a Business Driver

"Infosec is often put in as a reason not to do something or, worse, an inhibiter of great ideas to drive the business forward," says Jason Haward-Grau, CISO at PAS Global. "2020 is the year that we should really seek to embed the security enablement process into the business. In 2020, I want to ensure infosec is fully embedded into the business value chain."

"In 2020, CISOs should resolve to understand better how their businesses drive revenue and minimize costs,” says Rick Holland, CISO and vice president of strategy at Digital Shadows.

Figure 3:(image by valerybrozhinsky, via Adobe Stock) 
Resolve to Prioritize Privacy
'My 2020 resolution will be to develop a new strategy around information privacy and to have more coverage around data privacy in the form of a global privacy program,' says Jason Lau, CISO of Crypto.com, who said he will be looking to the recently released ISO 27701 and upcoming NIST Privacy Framework for guidance.
'The current problem in all industries is the lack of awareness of privacy,' he says. 'My resolution is to not only promote more awareness of data privacy, but also to officially embed it into different processes within our organization. I believe in injecting different aspects of privacy — in the form of security and privacy impact assessments — early. The product design phase is critical for all organizations to promote privacy by design, privacy default.'
(Continued on next page)(image by valerybrozhinsky, via Adobe Stock)

Resolve to Prioritize Privacy

"My 2020 resolution will be to develop a new strategy around information privacy and to have more coverage around data privacy in the form of a global privacy program," says Jason Lau, CISO of Crypto.com, who said he will be looking to the recently released ISO 27701 and upcoming NIST Privacy Framework for guidance.

"The current problem in all industries is the lack of awareness of privacy," he says. "My resolution is to not only promote more awareness of data privacy, but also to officially embed it into different processes within our organization. I believe in injecting different aspects of privacy — in the form of security and privacy impact assessments — early. The product design phase is critical for all organizations to promote privacy by design, privacy default."

Figure 4:(image by AKS, via Adobe Stock) 
Resolve to Focus on the Human Side of Security
'For 2020, my security resolution is to dedicate more time to reviewing and improving the human side of our IS [information security] provision, and identifying weak areas, policy flaws, and missing protocols that might be compromising our overall net of protection,' says Alison Davies, CSO of English Blinds. '[That could] be higher-level employees that are too slack about where they leave their company laptops, poor or patchy access protocols to buildings and areas containing proprietary technology, or improper sharing of access passwords amongst employees that are overly familiar with each other for the sake of convenience '  
(Continued on next page)(image by AKS, via Adobe Stock)

Resolve to Focus on the Human Side of Security

"For 2020, my security resolution is to dedicate more time to reviewing and improving the human side of our IS [information security] provision, and identifying weak areas, policy flaws, and missing protocols that might be compromising our overall net of protection," says Alison Davies, CSO of English Blinds. "[That could] be higher-level employees that are too slack about where they leave their company laptops, poor or patchy access protocols to buildings and areas containing proprietary technology, or improper sharing of access passwords amongst employees that are overly familiar with each other for the sake of convenience "  

Figure 5:(image by Orlando Florin Rosu) 
Resolve to Be Agile
Integrating security into agile processes means security gets baked in at the outset of the software development cycle. Doing so can have many benefits, including enhanced innovation, collaboration with other teams, and more confidence in the security of products being released into production. But when it comes to agile, some security teams may have programs that are more mature than others. 
'2020 affords me the opportunity to introduce more agile processes across my team and their day-to-day operational abilities, which will help reduce redundancies and complacency,' says Israel Barak, CISO of Cybereason. 'I hope this helps each person to grow their individual talents and skills by better automation of repeatable procedures, which will also improve decision-making. With better decision-making and reduced complacency, I hope to see workers that are happier and more productive.'
(Continued on next page)(image by Orlando Florin Rosu)

Resolve to Be Agile

Integrating security into agile processes means security gets baked in at the outset of the software development cycle. Doing so can have many benefits, including enhanced innovation, collaboration with other teams, and more confidence in the security of products being released into production. But when it comes to agile, some security teams may have programs that are more mature than others. 

"2020 affords me the opportunity to introduce more agile processes across my team and their day-to-day operational abilities, which will help reduce redundancies and complacency," says Israel Barak, CISO of Cybereason. "I hope this helps each person to grow their individual talents and skills by better automation of repeatable procedures, which will also improve decision-making. With better decision-making and reduced complacency, I hope to see workers that are happier and more productive."

Figure 6:(image by jud_g, via Adobe Stock) 
Resolve to Gain Better Bisibility into Data and Systems
'Containerization, microservices, and the overall advancements of distributed computing are providing incredible benefits for scalability and growth,' says Andreas Haugsnes, director of security at Unity Technologies. But with these advancements comes both gifts for business innovation and headaches for security because there is so much to control and manage today.
That's why Haugnsnes says his 2020 resolution is better visibility.
'Challenges are brought to a new level of complexity trying to map where data exists, flows, or is computed at any given time,' he says. 'Due to the constant change, my New Year's resolution is to have the visibility and controls closer to the data and, if possible, embedded.'
His visibility goal is echoed by Roger Hale, CISO in residence at YL Ventures.
'We live in a perimeterless ecosystem, where our employees work and where data is created and used,' he says. 'My approach is data access first. We are such a connected, data-centric world today that by following the access to data and who is acting on the data, as well as moving the data, we can build the mapping of data across on-prem, cloud, and mobile.'
(Continued on next page)(image by jud_g, via Adobe Stock)

Resolve to Gain Better Visibility into Data and Systems

"Containerization, microservices, and the overall advancements of distributed computing are providing incredible benefits for scalability and growth," says Andreas Haugsnes, director of security at Unity Technologies. But with these advancements comes both gifts for business innovation and headaches for security because there is so much to control and manage today.

That's why Haugnsnes says his 2020 resolution is better visibility.

"Challenges are brought to a new level of complexity trying to map where data exists, flows, or is computed at any given time," he says. "Due to the constant change, my New Year's resolution is to have the visibility and controls closer to the data and, if possible, embedded."

His visibility goal is echoed by Roger Hale, CISO in residence at YL Ventures.

"We live in a perimeterless ecosystem, where our employees work and where data is created and used," he says. "My approach is data access first. We are such a connected, data-centric world today that by following the access to data and who is acting on the data, as well as moving the data, we can build the mapping of data across on-prem, cloud, and mobile."

Figure 7:(image by sofirinaja, via Adobe Stock) 
Resolve to Make Security (at Least a Little) Fun
With a well-documented skills gap often lamented in the industry, maybe 2020 should be the year to look at what you offer as an employer. Beyond the actual work, why would a talented security professional want to come and work for you?
'I think we need a 'chief fun officer' to be recruited or to be added to the responsibilities of every executive, including in infosec,' says PAS Global's Haward-Grau. ''We make work fun' is a value I have worked to demonstrate over the last 15 years, and it's something we quickly forget in times of challenge or crisis, especially in infosec. There is not going to be a quieter time than now, so it's best to start now. Work should be enjoyable, not a daily slog.'
Related Content:

- 10 Security 'Chestnuts' We Should Roast on the Open Fire
- Soft Skills: 6 Nontechnical Skills Traits CISOs Need to Succeed
- Mega-Breaches are Forcing Us to a Passwordless World. Are We Finally Ready?
(image by sofirinaja, via Adobe Stock)

Resolve to Make Security (at Least a Little) Fun

With a well-documented skills gap often lamented in the industry, maybe 2020 should be the year to look at what you offer as an employer. Beyond the actual work, why would a talented security professional want to come and work for you?

"I think we need a 'chief fun officer' to be recruited or to be added to the responsibilities of every executive, including in infosec," says PAS Global's Haward-Grau. "'We make work fun' is a value I have worked to demonstrate over the last 15 years, and it's something we quickly forget in times of challenge or crisis, especially in infosec. There is not going to be a quieter time than now, so it's best to start now. Work should be enjoyable, not a daily slog."

Related Content:

Read more about:

2019

About the Author(s)

Joan Goodchild, Contributing Writer

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights