10. Security by design
Shifting security left is a priority for Macwan, the Vonage CIO/CISO.
“Simply put, in everything we do—products and services for our customers or tools and technologies that enable our employee experience—all must embed appropriate security, privacy, trust and compliance from the get go,” he says.
Other CISOs echo those thoughts and likewise list security by design as a priority.
“Security issues cost exponentially less to fix when discovered during development before deployment to production, so it is a critical part of my roadmap (and many of my colleagues) to put security feedback into developer pipelines and empower developers to make security relevant decisions early and safely,” says Kyle Tobener, head of security and IT for technology firm Copado.
11. More automation
To help security teams better cope with a broader IT environment and ramped-up attack activity, many CISOs have accelerated their deployment of automation technologies.
In fact, the Proofpoint survey listed “improve security automation” as No. 4 on its list of priorities identified by responding CISOs.
Jeffress says CISOs are using automation to better identify threats and speed response as well as enforce security standards throughout the development and deployment of new code into the environment. He notes that automation is a key part of creating secure code, implementing security by design, and moving to the increasingly popular zero trust security model.
12. Strengthening remote work security
Proofpoint’s CISO survey reveals that almost two-thirds of responding CISOs believe that remote work has made their organisations more vulnerable to cyberattacks, with 58 per cent of them seeing more targeted attacks since enabling widespread remote work.
“People could be putting themselves and the company at risk not intentionally but because the work environment is so different,” Levine says.
That has CISOs enacting zero trust and identity-first security strategies to create a secure work-from-anywhere business model, according to analysts, researchers, and consultants.
13. Securing the cloud
Nearly 40 per cent of organisations responding to the 451 Research survey for its Voice of the Enterprise: Cloud, Hosting & Managed Services, Budgets & Outlook 2021 increased their public cloud use during the pandemic, with the vast majority of them indicating the move to public cloud would be permanent.
Levine’s company is part of that trend, and that has him rethinking security strategy. He’s deploying new tools, processes, and governance models to support the infrastructure. And he’s implementing a comprehensive cloud security governance program to get his team visibility into his company’s cloud environment and to enforce adherence to proper configurations and security standards.
14. Keeping up with emerging, evolving privacy laws
Virginia passed the Consumer Data Protection Act (CDPA) in early 2021, enacting regulations similar to the California Consumer Privacy Act. Colorado followed suit in July, with its Colorado Privacy Act (CPA).
Such actions are created a growing patchwork of privacy regulations that organisations must track and follow.
That has CISOs, in cooperation with compliance and others within enterprise leadership, trying to put in place the technologies and processes that effectively and efficiently address the various laws as they stand today and as they continue to evolve, Warner says.
“It is almost a daily conversation with CISOs and business leaders. They’d like to deploy something and want to move into new markets, but they need to integrate serious privacy and security laws into their programs to do that,” he says.
15. Building continuity plans to account for global events
Levine is addressing another security issue revealed by the pandemic: shortcomings in his business continuity plans. He says he and other CISOs are revisiting their continuity and resiliency strategies that for the most part did not account for a worldwide impact event.
“We had plans, but it didn’t contemplate everybody going home overnight,” he says, adding that the old plan assumed geographical diversity of staff and facilities would allow for work in one impacted area to shift to unaffected regions. “Now we have to rethink what business continuity looks like.”