In the spirit of the New Year, it’s time to reflect on the past and make measurable resolutions for the future. Many people use this time to focus on personal goals, but it’s also important to think about what you can do to improve the security of your business. If you’re looking for ways to boost your company’s security posture in 2022, here are three tasks that you should add to your list.
Review Your Security Program
The annual review of your information security program is not only a good idea but, depending on your regulatory compliance requirements, may also be a mandatory requirement. We strongly suggest that every security executive review their existing policies and standards to make sure that they:
- Continue to align with the requirements of the business,
- Are not obsolete or referencing technology/business areas that are no longer relevant, and
- Are clear, concise, and meaningful to the target audience.
Conduct a Risk Assessment
The identification and remediation of risk helps you, your team, and the business understand what gaps exist and just how big and far-reaching said gaps are. It’s not difficult to conduct an internal risk assessment against whatever framework you have based your security program on but you may find it difficult to objectively assess how well (or how poorly) you’re performing in certain areas. An objective third-party risk assessment against whatever framework you have may be a better fit to help you identify new and confirm the closure of previously mitigated risks.
With your completed risk assessment against whatever framework you have in hand, the next “resolution” should be to prioritize the remediation of identified gaps in achievable and measurable milestones. You should work with your internal and external stakeholders to assign each risk using a 3-, 6-, and 12-month buckets that are managed as individual projects. Not only does this help you schedule and delegate the remediation of risks it also helps you hold yourself, your team, and the business accountable to the remediation process.
With the rapid changes in technology, it’s important to review your security program on a regular basis to make sure you are not spending time and resources protecting obsolete areas. Conducting a risk assessment against whatever framework you have will help identify gaps in your current posture, policy, or processes so that they can be remediated with appropriate prioritization using a 3-, 6-, and 12-month schedule for maximum effectiveness – and accountability. To learn more about how Lares can assist you with these and other tasks, please contact us today!
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.