I wanted to write a quick post about the topics CISOs should be thinking about going into 2024. I initially thought about commenting on the newest trends or newsworthy headlines like AI or the new SEC cyber rules but concluded there’s enough buzz around these topics.
So, instead of writing about the newest trends, I want to focus on the not-so-glamourous stuff that often makes the difference between success and failure in leading a cyber program. These are more reminders for us going in 2024 than anything else.
- Get the basics right – Develop and document core cyber processes to help manage internal and third-party risks. Make sure the security technology stack supports the processes in a meaningful way and that defined processes enable getting the tools you have to scale and ongoing health. Deeply partner with IT counterparts to help enable and ensure solid design and documentation of their processes and programs to manage assets, patch, and address vulnerabilities.
- Make a plan and (try to) stick to the plan – Take the time to develop a cyber strategy. Map the strategy to initiatives and projects and put them on a timeline. Share it with key stakeholders to get support and funding. It is okay to occasionally adjust to real-world cyber events, but if you are constantly pivoting, you will limit forward progress.
- Make smart resourcing decisions – Always weigh the pros and cons of hiring or devoting staff to specific activities with the possibility of having a trusted third-party help. Ultimately, several tasks and functions in a program are critical to enabling a program but are operationally transactional. Always ask if these activities are something a third party can do and if that would free staff up to help drive the program and manage risk more effectively.
- Be ready – Don’t forget to focus on building the organization’s ability to respond to and recover from major incidents. This means making plans and practicing them. Focus time on creating an information security incident response plan, business continuity plan(s), and disaster recovery plan(s). Practice by conducting tabletop exercises with IT, business, and executive stakeholders.
- Smile, shake hands, and get coffee – Building and operating a cyber program of any size relies on building and managing relationships to get things done. Building and maintaining relationships with your organization’s staff, peers, and leaders is potentially a game-changer when getting funding and support for critical cyber initiatives.