What is the last thing to do before the end of the year?Add bookmark
It’s been an oh so eventful year and as we set our sites on 2021, we asked the Cyber Security Hub Community about the last thing to do before you take that step into the forthcoming epoch.
Insights from keeping an 'extra' eye focused on the holiday season, assessing this past year in total, doing an inventory of risk, budgeting and insuring for risk, user engagement to business enablement are covered.
What is the last thing to do before the end of the year?
‘Tis The Season
Martin Ingram, Product Owner, Identity and Access Management, Royal Bank of Scotland
I suppose the last thing for this year would be to button up and make sure we're good for a successful holiday season. We're going to see a lot of transactions coming through. There are a lot of people who haven't had as much fun as they deserve for the year- let's make sure that we can continue to serve them. Let's make sure that we've got the resilience- that we've got the cover going forward.
Dot your i’s and cross your t’s before the holiday season sets in- truly prepare for the inevitable but also the unexpected. And once you’ve prepared…
There Is No Last Thing
Parag Deodhar, Regional Chief Information Security Officer- APAC, VF Corporation
Unfortunately for security, there's no end of year. There's no closing. Even when employees go on a holiday, on vacation, the CISO is always on call. In fact, you will see a lot of activity happening during the holiday season. So there's no such thing as end of the year for a CISO unfortunately.
Parag proclaims that the CISO does not abide by traditional human timekeeping. He noted a similar sentiment in a session earlier this year. His concept is to always be testing, always be assessing, always be prepared. There is no start, there is no end- the CISO remains in constant motion.
Stop, Think, Assess
Iain Lumsden, Director of Information Security, Denver Health
There's been a lot of change that's taken place this year. Change with how people work, how people have operated, and planning what could happen still in the future. So that's a lot of change in an environment. Some of the changes to the regulations that came across are going to expire or get reversed and we have to be prepared for that scenario. Take stock of what's happened this year and what kind of change we've gone through and make sure that we're still in a good place moving forward.
There is no way that the execution of 2020 was the plan for 2020. Everything changed. Iain’s suggestion is to stop and realize all of the change that happened. Think about that change and what next steps should be taken to benefit from that change moving forward. Assess what can, should and needs to be done- and lay out that plan for 2021...until the next disruption.
Nannette Cutliff, SVP, Chief Information Officer, CISO, Pacific Service Credit Union
Take a full inventory of risk. Do your full risk assessment, go through all of your audits and go back and reassess all your gaps. You know them, now prioritize them. Those that are still outstanding- prioritize, remediation, mitigation or transference. If you have addressed them, go back and test and make sure that they are fully addressed. That they haven't morphed into a different kind of risk because often we have patched that hole but we may not have addressed everything downstream that contributed to the gap in the first place.
Ensure the risk you have now is the risk you think you have now. Benefit from the work you’ve done. Benefit from the time you’ve spent. Benefit from the knowledge you have. Benefit by putting a line under what’s happened- otherwise that knowledge and stance disappears.
Budget or Insure for Risk
Kayne McGladrey, Public Visibility Initiative spokesperson, IEEE
Get your budgets in. I think that's the main thing everybody needs to do is get their 2021 budget in if you're on an annual fiscal year. I hope you've already had a risk definition conversation- get in front of the board or in front of your CIO or in front of your CFO, whoever is going to ultimately pay the bill. And then for anything where you know you can't afford it because you've seen a reduction in your budget as a consequence of the pandemic- have that conversation early with your cyber insurance broker. (Cyber insurance should be paid out of legal). Because for every one of those things your budget ain't going to cover- it's got to either flow to insurance or to where you have written down somewhere that you accept the risk.
Based on a year of upheaval, change and innovation- you know the business case for the budget you need. Get your budget signed off and anything that’s missing, back up with insurance. Otherwise you are accepting the risk.
Stephanie Derdouri, Sr. Director Information Security Risk at Fannie Mae
2021 is not going to be too different from 2020. And there needs to be the understanding and preparedness for 2021. We couldn’t have been prepared for 2020, but now we’re prepared. We need to expect more of the same. I know a lot of companies are saying, no, hold your budgets, hold back. But I think that there does need to be an increased spend in security and we need to be able to advocate for that based on what we’ve seen. Based on the attacks we’ve seen, based on the work we’ve seen. And so, working with your workforce is going to become so much more important. If your people are not engaged- you're going to lose productivity- you're going to lose security. We must remember that the extreme stressors remain great. I’m probably more likely to click on a phishing email now than I was six months ago, because I have less time, less energy and less coffee.
Call it security awareness, security psychology, security consciousness or whatever you’d like. No matter the moniker, your engagement can amplify their awareness. And capping the year with more engementen will pay dividends in the year ahead.
Lisa Tuttle, Chief Information Security Officer, SPX Corporation
Our focus is very much around customer experience. Where you used to have people sitting in an office, you had a more predictable experience. Now we've got all these people on home networks. If whatever we’ve got planned improves our user experience and our ability to conduct business, then we have to be thinking about that.
Most executives utilize the term user. Lisa uses the word customer. When positioned as a customer, the concept of business enablement becomes more clear. Consider the last thing that can be done this year to improve the user experience, enable more business all while improving the overall security of the enterprise.