At the beginning of January, my peers and I shared our security and privacy resolutions for 2022 with CSO Online. The full article can be found here on their website.
However, I wanted to further elaborate here on my plans for privacy and security across the enterprise this year.
I have a couple of resolutions for the upcoming year. Firstly, I want to focus more energy and resources on privacy and data. My second resolution is to refine and enhance the control framework around third-party risk management. In third place, but definitely not of lesser importance, is improving my enterprise’s protection against ransomware. The next resolution on my list is continuing to advocate the importance of email security to every business leader I meet; I am specifically referring to Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). Finally, I want to gain more control over ‘shadow IT.’
With regards to privacy and data, it’s not only about responding to growing demands from GDPR and other national and regional privacy regulations. It’s just good practice to get a solid handle on where business-critical data assets reside and how this data moves inside and outside of your organization, ensuring that you have adequate and effective controls to prevent data leakage and privacy rights violations (and of course avoid fines). Over 55% of data breaches are now caused by a third-party, so ensuring that I have an efficient, standardized approach for assessing third party risk will most definitely reduce privacy and security exposures from vendors, services providers and even contractors. Ransomware continues to increase in terms of prevalence and severity, so a strong prevention and response strategy is key to operational, financial, and reputation risk reduction. Email security in some form has been around since the early 2000s, and yet less than 35% of companies have implemented DMARC, DKIM and SPF. The value of these technologies in combating brand impersonation, reputation damage, and phishing attacks can’t be emphasized enough. Shadow IT in basic terms means that you’ve lost control and visibility into your IT environment, and if you can’t account for IT assets, you can’t protect them.
My approach to privacy and data governance is premised on user/cultural awareness, end-to-end risk assessment, detailed records of processing activities, effective incident response, strong security controls, and building capabilities to integrate ‘privacy by design’into the CI/CD. I plan to move away from using spreadsheets and manual processes to manage third-party risks, and instead leverage best-of-breed software tools that analyze, track, and minimize risks arising from supply chain exposures. With ransomware, my objective is to incorporate identity and access governance, multi-factor authentication (MFA), advanced honeypots, endpoint detection and response (EDR), and multi-tiered backups (3-2-1 strategy) into a cohesive ransomware prevention strategy. As it pertains to email security, my focus is less about my own shop (we’re already there) and more about assisting my peers and small to medium enterprises (SMEs) in properly setting up DMARC, DKIM, and SPF. Preventing shadow IT begins with enhancing usability and eliminating risky workarounds by removing the hindrances that foster them (i.e., being more agile in addressing discrete stakeholder requirements in close collaboration with the IT function).