12 CISO resolutions for 2022

What are the top security priorities for the year ahead? Here’s what CISOs across industries say are their main objectives.

A glowing blue arrow speeds ahead of a pack of black arrows [lead / compete / momentum / growth]
Gremlin / Getty Images

It’s still early days, but if this year is anything like years past, it’s safe to say CISOs will have a lot to contend with, from a continuing labor shortage to the increasing sophistication of cyberattacks to an ongoing threat from nation-state actors.

However, they also have plenty of ideas on how they’ll tackle those challenges.

To learn what they’re planning to do and what they want to accomplish in the months ahead, we asked CISOs across various industries to share their main objectives—or, their top resolutions, if you will—for 2022.

Here’s what they say:

1. Eliminate blind spots

Suyesh Karki, CISO and VP of IT at cloud software company Domo, wants to eliminate blind spots within his tech environment because he knows that he can’t protect what he can’t see.

Suyesh Karki, CISO and VP of IT, Domo Domo

Suyesh Karki, CISO and VP of IT, Domo

“It’s important for our security teams to have visibility into all aspects of cloud applications, on-prem applications, network, services, systems, databases, accounts, third-party providers, etc. to help fortify our cybersecurity defenses,” Karki explains. “Having a complete, accurate and appropriately prioritized inventory of all our hardware, software, and supply chain assets enables our security teams to take a systematic approach to knowing what needs to be safeguarded, what controls to implement to protect, defend, and respond against any adverse events, and how to identify and produce metrics that tell the full story about our current security posture.”

2. Get a grip on ‘the web of interdependence’

Maarten Van Horenbeeck, CISO of software company Zendesk, cites getting a better understanding of “the web of interdependence” within his company’s technology environment as a top goal for 2022.

Maarten Van Horenbeeck, CISO, Zendesk Zendesk

Maarten Van Horenbeeck, CISO, Zendesk

“I want to understand that mesh better so I can take action and know how to better protect it,” he says.

Although the complexity of that mesh has been growing for years, Van Horenbeeck says events during the past two years such as SolarWinds and Log4j have reinforced for him the criticality of understanding all the moving parts that make up his company’s technology ecosystem.

To that end, Van Horenbeeck has invested in technology to gain a fuller understanding of his own company’s IT environment. And while he acknowledges that getting 100% visibility into vendors’ code is unlikely, he still wants a more detailed understanding of how third parties and vendors interconnect with his company and what data they’re accessing so his team can design security strategies to limit the risks they might present.

3. Get a solid look into the providers’ IT environment

Peter Albert, CISO of the tech company InfluxData has a similar resolution, saying he wants “an understanding of the complete scope of the supply chain.”

Peter Albert, CISO, InfluxData InfluxData

Peter Albert, CISO, InfluxData

He adds: “A lot of people think supply chain might be just the companies you have contracts with, but it’s so much more than that.”

For example, he says he wants to know what vulnerabilities are in the code used by third parties and what open source resources do vendors use that could add risk.

To further limit risk, Albert says he wants to implement more monitoring of his SaaS providers to ensure that his company’s data is secure as it passes through the providers’ environments.

“I think there has been almost a fundamental misconception in the industry around third-party providers that they will monitor our data, but what we’re finding is that’s not true,” he explains. “So we have to take some of that responsibility back, and that means gathering from those providers insights into who is accessing our data.”

Albert’s not wasting time on this resolution. An employee has built a prototype for ingesting SaaS provider security logs while other staffers are building models to detect anomalies that could indicate security threats.

4. Do the common uncommonly well

As Booz Allen Hamilton CISO Ashley Devoto looks forward to emerging threats and a changing cybersecurity landscape, she also wants “to stay laser-focused on the fundamentals as we seek to strengthen our overall cyber resilience.”

Ashley Devoto, CISO, Booz Allen Hamilton Booz Allen Hamilton

Ashley Devoto, CISO, Booz Allen Hamilton

More specifically, she wants to ensure she has a strong program for quickly identifying and remediating vulnerabilities; good processes for efficiently implementing patches; robust employee awareness and training; and full visibility across the IT environment.

She professes her belief in the business adage that equates success to doing the common uncommonly well. “That mantra really resonates with me,” she says, citing it as part of the inspiration for her resolution.

Statistics inspired Devoto’s 2022 aspirations, too. “Hackers will continue to take the path of least resistance, so we have to be relentless on the basics. And by exceling at the basics, we’ll be postured to repel cyberattacks with speed and agility.”

Moreover, Devoto plans to develop metrics and key performance indicators to measure her team’s effectiveness and improvement on handling such fundamentals.

Niel Harper, CISO & DPO, United Nations Office for Project Services UNOPS

Niel Harper, CISO & DPO, United Nations Office for Project Services 

Niel Harper, CISO and data privacy officer at the United Nations Office for Project Services (UNOPS), lists a similar resolution for the year and offers a granular look at how he’s going to achieve that objective.

He says he wants to focus more energy and resources on privacy and data; refine and enhance the control framework around third-party risk management; improve his enterprise’s protection against ransomware; and continue promoting the importance of email security “to every business leader I meet.”

5. Push security further left

To help ensure she and her team get the security basics right, Devoto plans to embed security requirements earlier into planning and development processes. “I am prioritizing expanding our suite of preventive controls and capabilities as we take the fight ‘upstream’ to thwart cyberattacks,” she says, adding that she wants to get “left of boom” with this drive.

She’s not alone in her ambition to shift left in 2022. The 2021 Global CISO Report from software company Dynatrace found that 89% of the 700 CISOs surveyed said that microservices, containers, and Kubernetes have created application security blind spots, and 71% said they’re not fully confident that code is vulnerability-free before going live. Moreover, 85% of the surveyed security leaders said they believe “application and devops teams must take more responsibility for vulnerability management to protect the organization effectively.”

6. Start retiring the reliance on passwords

Grant Gibson wants this year to be the year he gets his company further way from using passwords for access—or at least further away from using passwords as the main form of authentication.

Grant Gibson, CISO, CIBR CIBR

Grant Gibson, CISO, CIBR

He sees the move as a critical play for improving security.

“We’ve been dealing with passwords for 40 years and the one consistent theme is that they get hacked,” says Gibson, CISO for CIBR, a cybersecurity think tank

That’s to be expected, he says. People still use the same password for multiple accounts, they pick easy ones to make sure they can remember them, and they write them down or store them in electronic files when systems require complex passwords—despite frequent warnings against such practices.

“Passwords are just out of control,” he adds, pointing out that recent high-profile attacks involved compromised passwords. 

Gibson says he’s working to implement stronger identity and access management (IAM) controls that are easier for people to use yet are more secure for the enterprise, acknowledging that there’s no single solution that will work best for all organizations.

Right now he’s implementing multifactor authentication within his own organization so that passwords aren’t the only way to authenticate users, and he’s exploring how to eliminate passwords altogether in the future.

“The goal is to get to passwordless,” he says. “In the short term that means that passwords can’t be the only form of authentication. But for the long term the goal really is to be completely passwordless.”

7. Boost agility

Ariel Weintraub’s resolution for this year is to “be more agile.”

“Cybersecurity programs are most successful when they demonstrate resilience. The last few years have shown us that threat actors constantly evolve their tactics, looking for creative ways to circumvent conventional controls and approaches. The ability to be resilient is based on the ability to quickly pivot priorities,” says Weintraub, head of enterprise cybersecurity for MassMutual and board director for One In Tech, a foundation within the IT governance association ISACA.

Ariel Weintraub, head of enterprise cybersecurity, MassMutual MassMutual

Ariel Weintraub, head of enterprise cybersecurity, MassMutual

She’s already taking action.

“We’re moving from an annual cycle of prioritizing projects and initiatives to a continuous assessment leveraging our daily threat and vulnerability assessment capability that allows us to identify, measure, and respond to emerging threats and risks,” she explains. “This means not being afraid to pause or end certain initiatives and pivoting to new ones in response to the latest tactics and techniques. Ransomware operators aren’t afraid to take down their whole infrastructure, rebrand, and start fresh. In the same spirit, we’re going to be agile in the way we deliver new capabilities so that it doesn’t take years to respond to new threats. It’s not a failure to stop a project when it’s no longer relevant.”

8. Build better partnerships with the business

Tightening security’s partnership with the business is Van Horenbeeck’s other top resolution for this year. “We’ve been doing this for a while, but this is this year when it really becomes the prime thing we internalize,” he says, explaining that tightening security’s alignment with business will help both teams advance their goals.

Here’s why:

Van Horenbeeck says many security departments, including his own, have become highly proficient at identifying and addressing top-level risks within their organizations. That, though, doesn’t influence day-to-day work habits and business processes that often introduce lower-level security risks and stymie efforts to build a security-minded corporate culture.

A stronger partnership with the business will help security identify workflows that create risks. It will also help security understand why their business colleagues value those processes. That combination, along with the better relationships fostered by partnership, should help security and the business work together to find successful solutions.

“It’s really about focusing more on where our are partners going rather than telling them what to do,” Van Horenbeeck says.

9. Take care of the team

Tony Velleca, CISO of UST and CEO of CyberProof, a UST company, plans to pay more attention to his workers this year.

Tony Velleca, CISO, UST UST

Tony Velleca, CISO, UST

Velleca’s right to be concerned: Some 84% of security professionals said they’re feeling burned out, according to the December 2021 State of Access study from software firm 1Password.

Velleca says he’s looking for ways to not only retain talent but to motivate and energize them as the COVID-induced uncertainty and disruption drags on.

Like executives at many other companies, Velleca had a mostly on-site workforce that moved to remote overnight nearly two years ago. He acknowledges that the virtual environment has some benefits but at the cost of the face-to-face interactions that help people bond.

Velleca says his company plans to bring people back to the office with options to work remotely, a move he hopes will help re-energize people.

He also plans to focus on innovative projects to boost workers’ excitement, and he’s deploying more automation to shift workers away from repetitive tasks to more engaging higher-level assignments.

10. Inspire new talent

Lena Smart, CISO of MongoDB, wants to help address security’s storied talent shortage, resolving in 2022 to recruit people to the profession.

Lena Smart, CISO, MongoDB MongoDB

Lena Smart, CISO, MongoDB

“I plan to continue playing an active role in mentoring and supporting the outside infosec community,” Smart says.

She herself took an unconventional path into the field. She left school at 16 and skipped a university education. She got into computers and networking thanks to her own interest in the space and some encouraging employers.

Now, she says, “As a CISO I often hear from my peers how difficult it is to find talent. While it certainly is competitive to fill infosec roles, we’ve seen really positive results from finding people with the right characteristics and helping them learn the technical ins and outs.”

11. Clean house

In typical New Year’s fashion, Brennan P. Baybeck, vice president and CISO of Customer Services at Oracle, is planning to clear out superfluous tools and investments that aren’t providing value as well as identifying underutilized capabilities.

Brennan P. Baybeck, VP and CISO of customer services, Oracle Oracle

Brennan P. Baybeck, VP and CISO of customer services, Oracle

“I think now is a good time to take stock and see what’s available to us, what we had prior to the pandemic, things we piled on, where we have redundancies, and eliminate those processes and technologies that aren’t in line with the strategy,” he says.

Related:
1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022