A brief pause before decisive actionWe know the routine of the new year is settling in when the predictions stop, the resolutions go by the wayside, and the rhythm of work takes hold.This is the perfect time to pause. For just a moment. Then to act, decisively.Sometimes one small change is all that is needed to create big results. In security, both small changes and big results are needed. To help focus our efforts, I asked five people that inspired me last year to share one thing to change this year.I also reached out to two respected advisors for a small bonus. What follows are 7 solid suggestions to create a foundation for success in 2015. Quick actions and small changes you can make before the end of the first quarter.Jack Jones: Adopt Root Cause AnalysisJack Jones (LinkedIn, @jonesFAIRiq) is a legend in the field of security, especially for those paying attention to the need for evidence-based practices.One change for this year: adopt root cause analysis (RCA) in risk issue management. Because treating symptoms rather than root causes is inefficient and leaves the organization with higher levels of exposure more frequently and for longer periods of time. Simply establish a requirement that all audit findings and information security deficiencies undergo a root cause analysis, and then treat the identified root causes.Jack explained that \u201cFew organizations perform meaningful root cause analyses on the control deficiencies identified in audits and security testing. More often, they treat the findings themselves, which are symptoms of underlying problems, rather than the causes of the findings. This wastes resources that could be applied to managing other risk-related challenges or to grow the business.\u201dJack shared five steps to get started in five days or less:Identify outstanding risk issues (existing known audit findings and security deficiencies)Perform RCA on the risk issues using the CXOWARE RCA worksheet (link)Identify the one or two root causes responsible for the majority of issuesTreat those root causes (admittedly, this might take a bit longer, but minimally, knowing where to focus is a benefit worthy of spending a few more days)Make RCA a requirement for all audit and information security risk identification processesAccording to Jack, \u201cperforming meaningful root cause analyses against a set of control deficiencies almost always identifies a small set of underlying systemic problems that, if addressed, can have a profound effect on an organization\u2019s ability to manage risk cost-effectively over time.\u201dRon Wilson: Tactically Prepare for the Assume Breach MindsetRon Wilson (LinkedIn) is the VP of Customer Success at Damballa (disclosure: I worked with Ron while building an educational series for Damballa last year). During our work together, he shared a lot of insights for leaders looking to make the shift to the \u201cassume breach\u201d mindset.One change for this year: advance the \u2018assume breach\u2019 mindset with some simple, tactical preparations. \u00a0On the need to change our mindsets and prepare tactically, Ron quotes Kafka, \u201c \u201cBetter to have, and not need, than to need, and not have."Ron suggests working through the following five steps:Figure out who (internally) needs to be informed, and in what priority; define and document who owns internal and external communicationCreate and define the communication team. These are the folks with the skill and ability to communicate effectively during a crisis. They need to be able to rapidly translate complexity to coordinate various groups.Identify who needs to internally help assess and remediate. Make sure they know. \u00a0Determine who you can turn to (external) for additional support; work to get agreements in place before a breach happensPre-define the local, state and federal agencies to work with (if the need arises); consider connections, introductions, and familiarity with the appropriate organizationsOnce the initial work is done, socialize your findings with other security leaders and influencers. Once everyone is on the same page, schedule a briefing with executives and leaders named in the program. Use the time to review the findings, validate decisions, and open a dialogue to guide further changes. Minimally, work to tie executive perception to practitioner reality.The simple act of working through these questions in the span of the week is a significant advantage when a breach is discovered. Equally powerful is the ability to build the dialogue necessary to guide more changes down the road.Jonathan Sander: Get Comfortable Talking about Unstructured DataJonathan Sander (LinkedIn) is the Strategy & Research Officer for STEALTHbits. Brilliant, witty, and someone I count on for philosophical insights and sharp ideas. \u00a0\u00a0One change for this year: include unstructured data in conversations and plans about securityUnstructured data is information in human generated files. Every spreadsheet, presentation, PDF, and Word document are examples of unstructured data.\u201cIt\u2019s always been amazing to me how few security professionals think about it. I get that it\u2019s not the sexiest thing in the world. No one makes a movie about the person who copied a sensitive file. It\u2019s always about the HACKER who BROKE through a FIREWALL. That makes for better Hollywood plots and better board room presentations about funding strategic security initiatives.\u201dJonathan shared that up to 80% of all the data in any organization is unstructured, and that data contains 100% of an organization\u2019s sensitive information in most cases. Of course, that sensitive information is also locked up in a database or application as well \u2013 so it feels safe.\u201cWe all know people have copied that information into spreadsheets, emails, documents, and then squirreled those away in every nook and cranny of the infrastructure.\u201dThe good news, according to Jonathan, is this one comes with an easy solution: access controls and proper policy (setting, enforcing).\u201cSecurity professionals are good at access control and setting proper policy. They can\u2019t do that for things that aren\u2019t on their minds, though. That\u2019s why I simply want them to put unstructured data on their lists. I\u2019m absolutely confident that all they need is to pay attention to the problem, and they\u2019ll soon nail down the solution.\u201dShawn Tuma: assess contracts and policies that govern useShawn Tuma (bio, blog, @shawnetuma) is the counsel I seek when I have questions on security issues, especially when it comes to discussing CFAA and security breaches.One change for this year: reconsider and take contracts and policies that relate to the access and use of their computer network and data seriously.Shawn explains that \u201cInsider misuse, whether intentional or accidental, is a substantial factor in many of the cybersecurity and data breach incidents that impact companies. The rules and regulations that govern what insiders can and cannot do on the network and the legal remedies that are available in cases of intentional misuse are frequently governed by the contracts and policies that the company had in place before the incident occurred.\u201dHere are five steps to get started:Inventory and prioritize all contracts and policies: take a broad view of both internal and external agreementsEnsure adequate contracts and policies are in place to cover all actual and potential accesses and uses of their company network and dataLook at each of the agreements and policies (by priority) individually to ensure that they work together, holistically, and do not contradict or undermine each other; if necessary, resolve conflictsReview each agreement\/policy in more detail to ensure they provide adequate confidentiality requirements, notices, limitations permissible access and usage, and disclosure of information; identify potential remedies, too, like monitoring and legal action for violationsConduct periodic training with employees to explain limitations and requirements; rely on case studies to guide how to think through situations to make better decisionsMore agreements might take longer than five days. However, the process of focusing on and strengthening agreements doubles as an educational opportunity. Use the opportunity to bring groups together to share insights of interest -- along with the kinds of risks, how to avoid them, and work to ensure mutual understanding of consequences.Shawn points out the power of this approach, \u201cif a problem arises and the company finds itself in court over these issues, it will have a strong documented record to show that it took the risk seriously, used it as an opportunity educate its workforce to help minimize the risk, and that the members of the workforce had actual subjective knowledge of these rules, which always helps.\u201dJay Roxe: Understand your usersJay Roxe is the Sr. Director of Product Marketing for Rapid7. We spent the summer telling each other bad jokes (we had a few good ones) and exploring the importance of understanding how people use our systems (link) (disclosure: Jay was a client that worked with me on an educational series).One change for this year: understand your users and how they behave.\u201cWe saw the importance of user behavior throughout 2014 as compromised credentials repeatedly made headlines as part of high profile breaches. If you know what your users usually do, you can lay the foundation for a comprehensive user behavior analytics strategy that will mitigate these risks and alert you to potential issues as they arise.\u201dHere are three areas to focus on, in order to gain an accurate understanding of your environment: \u00a0Assess Your Administrators: We routinely work with customers who have many more domain admins than they believe. One customer estimated a dozen admins and found many more people with the keys to the kingdom.Phish Your Users: Most current monitoring technology is blind to attacks based on compromised credentials, yet users remain susceptible to phishing. A quick phishing and education campaign at the beginning of the year can help to remind users of the best practices they may have forgotten over holiday turkey.Check The Cloud: \u00a0Research has shown that more than 69% of terminated employees retain access to corporate information stored in cloud services. \u00a0Are you aware of which cloud services are in use and who\u2019s using them?Jay explained that \u201cthese three quick checks give you some insight on where you may be vulnerable to having users and their data be compromised. Hopefully this inspires you to consider the next question of how to put a more complete monitoring strategy in place to address compromised credentials and user-based attacks.\u201dTwo bonuses to improve your leadershipA key to successful security leadership is investing in yourself, and your team. Sometimes the support we need comes outside of security and technology. To round out the list, here are two powerful concepts from experts I respect and consult with on a regular basis.Justin Foster: assess Emotional Intelligence and Intrinsic ValueJustin Foster is recognized as a branding expert. He is, and more. Author of Oatmeal v Bacon: How to Differentiate in a Generic World, Justin possesses a remarkable ability to quickly distill to value and inspire improvement. \u00a0One change for this year: focus on your Emotional Intelligence and intrinsic valueJustin explains, \u201cEmotional Intelligence (EQ) and Intrinsic Value are linked as two of the leadership traits absolutely necessary to perform consistently under pressure. \u00a0EQ creates self-awareness and empathy for others. Intrinsic Value creates an internal equilibrium that ensures that leaders are clear thinkers, decisive and modeling behavior despite stressful conditions.\u201d \u00a0Leaders can create new habits around EQ and Intrinsic Value with some of the following steps:Seek professional help for untreated emotional trauma. Trauma has a numbing effect on both EQ and Intrinsic Value - creating blind spots and compartmentalization under stress.Complete a self-audit of strengths and weaknesses - and share with several influencers\/mentors that you trust for confirmation and feedback.Build new habits around both your strengths and weaknesses. Examples: if mentoring is others is a strength, create a system\/process to make this a weekly habit. If expressing feelings is a weakness, start a private journal.These three steps will make you a more holistic leader - allowing you to better lead yourself and your team.Roger Courville: embrace your role as a connectorIf you know of Roger\u2019s (link) work improving virtual presentations, then you\u2019re going to love his focus on connectorship. And if you\u2019re new to Roger, then you\u2019re in for a treat.One change for this year: embrace your role as a connector -- the need to reach, teach, and lead.\u201cThe rate and scale of change in today\u2019s world is accelerating. This means that swaths of our employees are experiencing increasing deficits in attention, making sense of things, and feeling a sense of trust and connection. Connectorship \u2014 the ability to reach, teach, and lead in a digitally-extended world \u2014 is no longer an optional skill.\u201dHere are 3 ways to rapidly improve your ability to connect over the next few weeks:Reach: Content is abundant if not overwhelming. When you share something, improve your attention-getting by \u201cannotating\u201d with a comment that connects what you\u2019ve shared with why you shared it. Example: \u201cInteresting list -- \u00a0#4 is particularly relevant to us\u201dTeach: You will be \u201cstickier\u201d when you are perceived as a valuable connection to have. Be the \u201cI always learn something from you\u201d person.Lead: Leadership is influence that points in a direction. Explicitly or implicitly, use every interaction as an opportunity to connect people back to the mission, objective, or motivator.\u201cThe good news is that really connecting with your best (and most expensive) asset, the hearts and minds of your people, can be improved with technology when you make it a people-first endeavor.\u201dGo forth and improveThe start of a new year is a good opportunity to start fresh with a renewed focus on the priorities that actually improve your security posture. Include time to invest in yourself and improve your leadership, too.Security is changing.The opportunity comes to those who embrace the change. No more negative. Stop talking about limits and restrictions. Frame the positive.Executives and boards need you. What do you need to provide them?The concepts in this slide show set the stage for a successful year (and beyond). These are investments in yourself, your team, and your program. Depending on your situation, some might take a bit longer than a week; with some focus, all of these can be completed successfully by the end of Q1.Collectively, these represent small changes with big results.