In a similar spirit to our 2016 security predictions, we thought it would make sense to share what we believe are worthwhile resolutions to make as you plan for the year ahead. These aren’t all specific to security, but the principles all certainly are relevant for dedicated security teams, as well as for IT more broadly.
Here are our resolutions, in no particular order:
- Resolve to lose weight: I bet you didn’t see this one coming. I’m not talking about pounds around the middle, though. I’m talking about sharply focusing priorities and actively demoting projects that won’t make a significant contribution to a great IT 2016. With resources stretched thin, it’s important to act decisively in determining what is below the cut line. Paradoxically, it can be helpful to “undershoot,” from the standpoint of targeting fewer initiatives than you might initially want, but resolving to excel in the ones that do make the cut.
- Get more exercise: tabletop drills and red-teaming can pay huge dividends, if done with commitment and follow-through. Commitment means that teams have to be all-in: plan the exercises well, minimize distractions, ensure that roles and responsibilities are clear (and lack of clarity could also be one of the findings when you debrief the exercise). Take a cue from the military or aviation: drilling emergency procedures until they become second nature makes a night-and-day difference in outcomes.
- Read those labels: if you don’t have a rigorous process for researching, procuring, and spinning up new technologies, 2016 should be the year you resolve to do so. This goes with the “lose weight” resolution, in that you shouldn’t write the check for any technology or service until you’re certain that it aligns with a high-priority initiative and that you know how you’re going to allocate the resources you need to get the most out of the investment. Don’t let expensive technology sit on the shelf because of poor planning.
- Get out there and mingle: The security community abounds with opportunities to learn from peers. There are lots of events that are fun as well as informative, where you can learn about best practices, exchange “war stories,” explore areas where you need to shore up knowledge or expertise, etc. Many events are free of charge, though you should plan to invest in some registration fees for key events as well.
- Spend a few days phishing (in an educational way): you may not have clicked a suspicious link or opened an attachment in a phish in a decade, and the same may go for your team. But the stats show that, on the whole, there’s a lot of room for improvement. Unless you’re truly breathing the rarefied air of extreme IT discipline, your employees don’t practice safe email. You can make phishing education fun–that’s generally a good way to increase participation. Consider “gamifying” by offering prizes for those (non-security folks especially) who can distinguish well-crafted (educational) spear phishes from legitimate email.
What are your own resolutions? Add them in the Comments section or drop us a note on Twitter.
Wishing you a prosperous and secure 2016,
The DomainTools Team