Top Ten New Year’s Security Resolutions

Strengthen Your Security Posture in 2020 

We’re fast approaching the time of year when many people make one or more New Year’s resolutions.  While some people stick to their resolutions better than others, we can learn a thing or two in security from this practice.  It is in this spirit that I present the top ten New Year’s security resolutions that we should make and keep in 2020:

1. Focus on risk:  When I studied Physics in University, I would often get stuck trying to solve a problem.  If I asked for help when I was stuck, the answer I received would invariably be “go back to first principles.”  Eventually, I learned to go back to first principles on my own, without needing to be reminded.  Security is no different.  When we get stuck on something, we need to go back to first principles.  In security, that means focusing on risk.  More specifically, on measuring, minimizing, managing, and mitigating risk.  Resolving to focus on risk empowers a security organization to evaluate each decision according to how it helps, or hurts, their efforts to stay on top of risk.

2. Be strategic:  It might be enjoyable to follow a bouncing ball while watching a tennis game or ping pong match, but that’s no way to run a security program.  There is no shortage of distractions in our field, and each one seeks to grab our attention and pull us off of our focus.  Whether it’s the crisis “du jour”, the latest alarmist recommendation, a hot technology fad, or any of the other distractions we may encounter on a given day, we need to think and operate strategically.  We should have a clearly defined vision and strategy, and each decision we encounter should be evaluated against how well it supports that vision and strategy.  Resolving to adhere to this approach will help a security organization improve its security posture by investing in activities that improve the security posture, while minimizing investment in activities that don’t.

3. Plan:  It goes without saying that you wouldn’t leave for a business trip without having a plan.  Where am I going?  What meetings do I have?  What are the objectives of this trip?  Where will I be staying?  Have I gathered all of the material I will need for the trip?  These are among the many questions we might ask, and answer, ourselves before stepping out the door for a business trip.  The same approach is required in security. While it may seem obvious to you, many security teams do not have a clear idea of where they are going, who their audiences are, what objectives they have, what tools they will need along the way, and what work needs to get done before, during, and after the journey.  Resolving to plan is a good way to begin the new year.

4. Execute:  All the plans in the world do us no good if we have no way to execute them.  Just as it’s important to be strategic, it’s also important to be able to operate.  Each strategic plan needs to be broken down into operational and tactical components that can be implemented over the desired period of time within the allocated budget. Not having a detailed plan can cause the security organization to fail in implementing its vision.  That, of course, will hinder security’s ability to safeguard and defend the organization. Resolving to execute is what allows the team to take improved security from a vision to a reality.

5. Measure: Metrics has become a dirty word of sorts around the industry.  It shouldn’t be. Well-designed, relevant metrics can help the security organization continuously assess and measure risk, performance, and a number of other indicators.  This has many advantages, but chief among them are the ability to assess progress and adjust course as necessary, as well as the ability to show value to leadership and executives.  Resolving to measure better will do you a world of good.

6. Reduce noise:  It is an unfortunate reality that many security organizations live in a near constant state of noise.  False positives, one-off taskers, and other forms of noise can overwhelm most security teams if left unchecked.  Resolving to increase the signal, reduce the noise, and take back the work queue and work environment can help a security team stay on top of its duty to defend the organization.

7. Implement best practices:  There seems to be a lot of talk of best practices in the security industry. Talk is cheap, though. Until best practices are implemented operationally, they don’t help us improve our respective security postures. If a best practice looks like it will help you, then invest resources to implement it. Otherwise, quit talking about it and focus on what you believe will help the business operate more securely.  Resolving to implement the appropriate best practices helps an organization take the right steps towards improving its security posture.

8. Don’t overanalyze:  I’m amazed at how often I encounter organizational paralysis. While we certainly don’t want to make snap decisions that have little basis in logic and reason, we also don’t want to overanalyze each decision to the point of paralysis. Resolving to give each decision just the right amount of analysis ensures that the security team will not operate on impulse, nor will it paralyze itself through overanalysis.

9. Ignore conventional wisdom:  There is a lot of conventional wisdom in security that is floating around.  Some of it is actual wisdom, while much of it consists of long-held beliefs that have little basis in fact.  If a piece of conventional wisdom has been proven effective and its success can be measured, by all means, abide by it.  Otherwise, resolving to ignore conventional wisdom can help you ground your security program in fact and improve it based upon logic.

10. Be honest with yourself:  Self-awareness is rare. Most people and organizations aren’t able to see themselves as trustworthy outsiders see them.  While it’s not easy to achieve this level of introspection, it is highly desirable.  Only when we can step back and see all of our qualities and all of our faults can we begin to work towards a better security posture.  If we’re unable to see ourselves honestly, we may need to look to external resources to help us get there.  Resolving to see ourselves as others see us is the first step towards bolstering our information security defenses.

Have a happy and secure New Year!