Give this post a like or comment if you’ve ever made a New Year’s resolution, felt the initial burst of motivation, and then watched it fade quicker than a New Year’s party confetti cannon on January 1st. We’ve all been there, setting ambitious goals only to see them become distant memories as February rolls in.
But in the realm of cybersecurity, failing to follow through on resolutions and critical priorities can have more dire consequences. As CISOs, we’re entrusted with building and maintaining the digital shields that protect our organizations from relentless barrage of threats and attacks. The stakes are high, and our goals hold the weight of data breaches, operational disruptions, and reputational damage (both individually and for the company).
So, how do we avoid the resolution rut and transform our cybersecurity program goals into tangible results? By leveraging the lessons learned from the well-trodden path of New Year’s resolutions, of course.
The Sobering Statistics of Resolutions:
Here are some interesting statistics from Drive Research (a market research company)
• 92% of adults will not follow through on a resolution.
• 43% of goal-setters have forgotten their resolution by February.
• 80% of New Year’s resolutions are forgotten by February, while 46% of adults still stick to their resolutions after 6 months.
• More specifically, people are likely to quit on the second Friday of the month–dubbing it “Quitter’s Day.”
These numbers might seem discouraging, but they also hold valuable insights in human performance for cyber leaders. We can learn from the pitfalls of individual resolutions and apply them to our professional and cyber program goals, increasing our chances of success.
From Inspiration to Implementation:
• Specificity is Key: Ditch vague ambitions like “improve security posture” for detailed, measurable goals like “reduce Mean Time to Respond (MTTR) by 30% through 2 annual tabletop rehearsals, additional automation implemented through SOAR, and successful completion of our enhanced incident triage project”.
• Break it Down: Divide your ultimate goal into smaller, achievable milestones. Celebrate each milestone, not just the final destination.
• Plan for Pitfalls: Identify potential roadblocks and proactive solutions. Anticipate budget constraints, resource limitations, resistance to change, and build a margin to adapt to challenges or unexpected tactical changes.
• Track and Adapt: Regularly assess progress, assess the effectiveness of your strategies, and adapt your approach if needed. While external assessment can be helpful and provide an independent viewpoint, you should be constantly internally measuring and tuning your cyber program, just as you would a SOC or DLP tool. Security Performance Management tools like TrustMAPP or a GRC tool capability customized to align control owners to framework sub-categories and tracking performance, initiative results, and overall maturity closer to real time, can be very effective.
• Accountability Matters: Share your goals with stakeholders and create a supportive network. Enlist the help of your team and hold them (and yourself) accountable. If you are a CISO, who can this be for you? Your boss, your deputy CISO, your ERM leader, or a senior business sponsor for your program can all be good options.
Beyond New Year’s and the January Reset:
Here are some tips to help you be successful throughout the year in driving progress forward against your most critical needs, goals, and initiatives:
1. Find Your WHY: Remind yourself of the bigger picture, the lives and assets you protect.
2. Set SMART Goals: Cybersecurity is a journey, not a race. As mentioned above, setting specific goals is imperative to success. By adopting a strategic, deliberate approach, setting SMART goals, and embracing continuous improvement, CISOs can transform their resolutions into resilient cybersecurity realities. SMART goals are Specific, Measurable, Achievable, Relevant, and Time-bound. It’s a simple acronym, but these fundamentals matter.
3. Embrace Lifelong Learning: The cybersecurity landscape is ever evolving, so continuous learning is crucial. If you rest on your laurels or previous expertise, you will be left behind.
4. Seek Support: Build a network of mentors, colleagues, trusted consultants, and industry professionals who can offer guidance and encouragement. You will be busy throughout the year, but it is imperative to take the time to build and maintain these key relationships with sage advisors.
5. Embrace Continuous Improvement: Don’t wait for the new year to re-evaluate your program. Implement a culture of ongoing feedback and iteration. Regularly assess risks, track metrics, and adjust your strategy based on real-world threats and vulnerabilities.
6. Use Key Performance Indicators (KPIs) to track your progress and identify areas of improvement. KPIs can include things like mean time to respond/restore/recover (to incidents). The important thing is to use KPIs that align with your goals and provide actionable insights. KPIs help you demonstrate how your team is performing. Key Risk Indicators (KRIs) help you tell the story of risks that you face.
7. Prioritize People: Your cyber team and the broader employee workforce are (and must be positioned as) your greatest asset. Invest in training and professional development opportunities for your team as well as comprehensive and awareness and cultures change programs for the broader employee base. Foster a culture of open communication and collaboration, where reporting potential threats and asking questions is encouraged, not punished.
8. Enable Positive Culture Change through OCM: Organizational Change Management (OCM) methodologies and tactics within our program can significantly help your organization embrace the changes with technology and security expectations throughout the year. If you’ve ever implemented an IT solution that very few users utilized, then you would have learned the importance of OCM. Kevin Costner’s “Field of Dreams” was a great story for a movie, but “if you build it, they will come” has no relevance in cyber programs.
9. Embrace Technology, but Don’t Be a Tool Junkie: Security tools are valuable, but they’re not magic bullets. Focus on integration, automation, and orchestration to extract maximum value from your existing technology stack. Don’t chase the latest shiny tool; prioritize solutions that address your specific needs and gaps.
10. Celebrate Small Wins: Acknowledging progress, no matter how incremental, keeps motivation high. Burnout is a significant risk within cyber professionals facing a constant battle in a never-ending war. Showing them a little love and appreciation can go along way to keeping their heads in the game.
Here’s to a 2024 filled with cybersecurity victories, not abandoned aspirations. Let’s make it the year we build impenetrable defenses, empower our teams, and leave the “resolution graveyard” behind for good.
Remember, we hold the power to rewrite the cybersecurity narrative. Let’s make it one of unwavering resilience and proactive defense.
Do you need help evaluating your cyber program, transforming your strategic agenda, or setting up capabilities to measure and fine tune your focus? You can chat with me via direct message on LinkedIN or reach out to our team via firstname.lastname@example.org.
At Reveal Risk, we evaluate, design, and deliver strong programs, processes, and results in cybersecurity. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at email@example.com.
Learn more about our story here!