Editor’s note: The ISACA Now blog is featuring a weeklong series providing tips for success in 2023 for practitioners in various digital trust fields. Today, we look ahead to 2023 for security professionals.
I work as Global Chief Information Security Officer for a rapidly expanding business in the insurance and consulting sector. My background is technical, working my way through desktop support, network engineer and infrastructure architect roles before finally crossing the Rubicon and beginning my GRC career with a CISA credential many years ago! Suffice to say my background has enabled me to speak on terms with my technical colleagues and still helps me translate risks and issues back to the board.
The move to the C-suite has not always sat squarely with me. As a CISO, I have had to learn to let go over the years. I trust and rely on my team to escalate where necessary and I don’t poke my nose into (quite) everything nowadays. I can no longer configure routers, which I sometime really miss!
Thinking about this blog post highlighting actionable tips for security professionals in 2023, I wondered where to begin. In the end, I have drawn on lived experience, and hopefully a couple of the points will resonate and be of use to you in the year ahead.
I start with the absolutely most important:
1. Have a personal incident response plan
We all have CIRT/SIRT teams, major incident response plans and playbooks, but how many of us consider the real personal impact if we need to deploy these plans? Everyone has a home life, and they will differ greatly, but no one can run 24/7. Some of us have caring responsibilities, and we all get stressed. More work-from-home brought about by the pandemic has only heightened these challenges. My tip is to make sure that you have a plan for when the worst happens because you need support at home as well as at work, and that often gets overlooked. If you have a plan, you are prepared and can put your focus where it needs to be.
2. Turn the camera on/go into the office (if you have one)
This is about making connections and re-connecting in a post pandemic world. Lots of us may have lost our offices but it’s so important to try and keep the human connectivity within technical professions. I try to go to one of our offices weekly and make trips to the US quarterly (I am based in the UK) to make sure I get to speak to my colleagues face-to-face. You get to talk about non-work-related activities and understand a bit more about individuals’ motivations, which helps all of us feel better about reaching out when we need help.
3. Know your business
This is focused on understanding how the business you work for makes its money. Working in cybersecurity and GRC, we are keen to see risks mitigated and controls applied, but the biggest risk to a business is that it doesn’t survive, and we need to be clear that our job is to help the business grow by protecting what it cares about and being trusted advisors, not the people who say NO. Speak to your department heads, go for a coffee and find out how you can support them.
4. Be flexible
The threat actors are evolving attack mechanisms constantly, new technologies are emerging and business priorities are changing. You need to be adaptive and change-positive to deal with the moving floor and not become overwhelmed. Sometimes everything is a priority, and it takes a lot of effort to step back and take a pause. My team takes an agile approach to work planning as this complements operational IT and development teams and helps us track progress. I also like breaking what can sometimes seem like a mammoth task down into its component parts.
5. Embrace the tooling but don't forget the humans
Lots of cash is required to have the latest shiny tools we need to combat our common enemies. Yes, we do need to fully understand our attack surface and ensure we have all of the controls in place to detect and respond – however, all the tools in the world won't take the place of skilled and valued team members who will monitor and respond to the alerts with a human eye that knows what is benign and what is an attack. People can quickly pick up the phone to call a colleague (see #2) and check if any unplanned work is taking place or if the alerts are in fact malicious. The team is of course hugely supported by the tooling, but always remember the most important part of your protection capability: people.
In summary, this blog post is not about anticipating the latest trends for 2023 – there will be many security vendors more than willing to tell you about that – but I do hope this guidance will help you thrive as a cyber and GRC professional in the year ahead. Keep grounded and keep smiling!
