A CISO’s anti-resolutions checklist for 2024


16 Jan 2024

Image: © Ivor/Stock.adobe.com

Hackuity’s Pierre Samson gives us his ‘not-to-do’ list to improve your organisation’s cybersecurity management this year.

2024 doesn’t have to be filled with the same old new year’s resolutions. In reality, most resolutions are just exhaustive to-do lists never to be done, embraced with fiery conviction until they fizzle out in February. For CISOs, there is unprecedented pressure to do more with less, all while managing the escalating risk of cyberattacks fuelled by an unmanageable mountain of vulnerabilities.

So, perhaps it’s time to flip the resolutions list on its head and consider our goals from the opposite point of view.

With that in mind, here is a list of ‘anti-resolutions’ for 2024. This is your ‘not-to-do’ list of practices to give up.

At the end of the year, your cybersecurity defences and organisation’s resilience will be stronger for it. If you’re a security leader grappling with what to prioritise, saying no to these first will kickstart your 2024 with a more robust, efficient and effective cybersecurity programme.

Stop the point solution bloat

The typical security team juggles upwards of 75 security tools, leading to a sprawling, unmanageable tech stack that reduces the security team’s efficiency and can end up exposing a bigger attack surface. Most importantly, with budgets under more scrutiny in this non-recession that feels very much like a recession to anyone balancing a budget, not every company has the luxury of adding to their tech stack to meet each new cyber security challenge.

‘This year’s first anti-resolution is clear: simplicity and consolidation are key’

There’s noble intention behind accumulating a smorgasbord of different point solutions, whether it’s a desire to cover all bases or in reaction to a recent incident. But the trade-off is operational overload and a fragmented security posture.

The US National Vulnerability Database‘s alarming report of over 220,000 common vulnerabilities and exposures (CVEs) to date is a stark reminder that attackers move faster than defenders.

This year’s first anti-resolution is clear: simplicity and consolidation are key. CISOs must focus on streamlining their operations, bringing order to their stack and maximising the value of their existing solutions and resources. CISOs need to assess their existing tools, identify overlaps, redundancies and gaps, and make smart decisions on where to invest. Siloed tools are so last decade. In 2024, platforms rule the day. Or at least, tools that ‘play nice’ with others.

Tool consolidation offers several benefits, notably enabling teams to respond more swiftly and effectively. With fewer, more integrated tools, security professionals can better understand and utilise them, improving detection capabilities and response times. Furthermore, a consolidated toolset allows for more coherent data analysis and threat intelligence, crucial in an era where data-driven decision-making is key to cyber defence. As for CISOs’ CFO counterparts, spend consolidation is a nice bonus.

CISOs who embrace this ‘anti-resolution’ will find their teams better equipped to manage the ever-evolving threat landscape. It’s not about having more tools; it’s about having the right tools, efficiently deployed and effectively managed. This mindset shift is a significant step towards a more resilient and proactive cybersecurity strategy in 2024.

Prioritise risks

In the past, many organisations have approached vulnerability management with a ‘broad brush stroke’ strategy. However, the key to effective cybersecurity is not just identifying vulnerabilities but prioritising them based on the specific risks they pose to an organisation.

The reality is that no security team can, or should, fix every single bug or weakness in their network assets. Beyond being time and resource-intensive, it’s impractical.

Only a small percentage of vulnerabilities will pose a high risk to an organisation. So, the emphasis should always be a strategic risk-based approach rather than trying to fix a few hundred thousand vulnerabilities. This is where risk-based vulnerability management (RBVM) comes into play.

‘Siloed tools are so last decade’

RBVM means pivoting away from shoddy guesswork and generalist industry trends that may have nothing to do with your own attack surface. It’s about addressing and identifying which vulnerabilities are most critical to your organisation’s unique environment. Resources are finite, attention must be laser focused.

The implementation of RBVM requires a deep understanding of an organisation’s specific threat landscape, including its industry sector, IT assets, size and existing security posture. This tailored approach ensures that cybersecurity efforts are concentrated where they can have the most significant impact. Moreover, RBVM goes beyond mere technical assessment, incorporating contextual factors such as asset criticality, exposure level and threat intelligence into the prioritisation process.

This shift from a volume-centric to a risk-centric approach not only optimises resource allocation but enhances overall security posture. As cybersecurity threats become more sophisticated, the ability to prioritise based on risk is not just an advantage, it’s a necessity for CISOs protecting their organisations in 2024.

Stop treating compliance as a tick-box task

The final anti-resolution for CISOs challenges the conventional view of security compliance. There are a growing number of compliance regulations that CISOs must meet, and change is the only constant when it comes to regulatory requirements.

However, approaching compliance as a tick-box exercise you go through to pass audits won’t necessarily improve an organisation’s resilience. Compliance is necessary but hardly sufficient. It’s a baseline. Just as fire safety protocols in a building are a starting point for safety but don’t account for the pyromaniac sitting in the far most cubicle, compliance is not the endgame. Build upon these standards to create a robust, tailored security strategy that aligns with evolving cyberthreats and the specific needs of your organisation.

Cyber leaders who embrace this approach avoid the pressure-laden process of meeting a quarterly or annual audit in favour of a culture of continuous improvement. With new requirements on the horizon for PCI DSS 4.0 and NIS 2 this year, testing systems to ensure they meet compliance specifications is vital, but doing the groundwork to address these areas continuously will make for a more proactive and effective approach to adhering to industry standards. In less words, be the industry standard that future regulators look to.

With regulatory changes, increased board scrutiny and budgetary pressures, this year won’t be kind to CISOs. But the new year brings an opportune moment to hit the ‘refresh’ button and re-examine ingrained processes that aren’t meeting the bar you’re setting. In 2024, ditch the huge list of impossible cyber resolutions, jump off last decade’s bandwagon and start tackling cybersecurity as the forward-thinking challenge it is.

By Pierre Samson

Pierre Samson is chief revenue officer for cyber vulnerability management company Hackuity. He has nearly 20 years’ experience helping enterprises digitally transform and improve their cybersecurity posture.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.