Live Demo
Blog   >   General   >   Threat Stack’s 2018 New Year’s Security Resolutions

Threat Stack’s 2018 New Year’s Security Resolutions

Insights from
Chris Ford, VP of Product, and Pete Cheslock, Senior Director of Operations and Support

Instead of the “predictions” that are usually offered up at this time of year, we decided to focus on security resolutions. So rather than surveying a variety of issues that might (or might not) affect your security operations in the coming year, we want to talk about resolutions that, if you put them into play and follow through rigorously, will offer a sure way of strengthening your organization’s security habits and posture.

Security should never be thought of as a one-and-done proposition. It’s an ongoing, evolving process, and instead of “getting secure,” smart organizations focus on continuously improving their security postures. As with any other type of improvements you want to make, it can be helpful to take a moment to pause and consider your goals for the coming year. Instead of good intentions that don’t translate into action, make resolutions around the reality of today’s security landscape and the very real challenges that are likely to arise in your organization in 2018.

To help you do this, we sat down with two of our cloud security experts, Chris Ford, VP of Product, and Pete Cheslock, Senior Director of Operations and Support, to ask them what resolutions they recommend companies make regarding security in 2018. Here’s what they had to say.

Resolution 1: Come to terms with your security maturity level.

Chris Ford, VP of Product

How mature is your organization when it comes to cloud security? If you’re still thinking about security in terms of network perimeters, then the answer is … not very mature. Believe us, hackers are opportunistic and when it comes to security, and they’ll exploit any vulnerability they can find. The start of the new year is an excellent time to take stock of where you really stand and to make a plan to increase your maturity throughout 2018. We recommend that you consider our Security Maturity Model, which offers a way to score your organization on its current maturity and progressively level up. It’s not about being perfect on day one, but about being realistic about where you stand now and what the next steps are for your unique organization.

Resolution 2: Don’t let security concerns stop you from migrating to the cloud.

Chris Ford, VP of Product

We believe that 2018 will be a big year for organizations to recognize that moving to the cloud is not just a way to boost efficiency or reduce costs but is, rather, the key to gaining a significant strategic advantage over competitors.

While it was possible to delay going to the cloud when the gains seemed to be marginal, that’s just not the case anymore. Moving to the cloud is the best way to increase your business’s velocity and make a sweeping, digital transformation that could be the difference between a successful year and one in which your competitors sail out ahead of you. So while there are indeed new security concerns that come with moving to the cloud, you can systematically learn what these are and how to address them so you don’t have to postpone taking advantage of the cloud any longer. (If you’re not ready to make the leap today, here are some intermediate steps you can take to start the transition on the right foot.)

Resolution 3: Automate wherever possible.

Pete Cheslock, Senior Director of Operations and Support

Security teams today are often understaffed and at times lack the necessary training to take on the proliferating and advanced threats in our current cyber environment. With the security talent shortage unlikely to end anytime soon, it’s time to look for ways to stretch your budget and your team. Fortunately, the cloud provides an opportunity to automate many aspects of security, and therefore, we recommend looking for areas where you can remove the daily burden from your team by automating rote, routine tasks like alert enrichment and malware investigation. As much as possible, your team should be focused on automating day-to-day security tasks so they can spend more of their valuable time on strategic and/or proactive initiatives.

Resolution 4: Emphasize detection over prevention.

Pete Cheslock, Senior Director of Operations and Support

It’s true that the pendulum of opinion swings back and forth between the importance of detection vs. prevention. But we’re willing to plant a flag in the ground and state that, in a world of complex and proliferating threats, detection is going to be more important than prevention. (That’s not to say that you shouldn’t invest in prevention at all, but it shouldn’t be the only defense you have in place.) You should be realistic about the fact that, if history is any indicator, attackers will find a way in. So, as a defender, you also need the ability to detect threats once they are inside your modern cloud infrastructure. That’s why companies are shifting their focus to detection techniques and technologies (e.g., monitoring, alerting), and that’s why it’s time to prioritize resource spend in favor of detection. The best way to do this, in our opinion, is to invest in an intrusion detection platform that is environment-agnostic and comprehensive for today’s threat landscape.

Resolution 5: Level up security chops across your organization.

Pete Cheslock, Senior Director of Operations and Support

We hear a lot from organizations whose security teams just don’t have the resources to keep up. To remedy this, we believe it’s important for organizations to promote a mindset centered on the belief that security is a business responsibility that must be supported by everyone. To this end, one way to increase your security maturity without hiring hard-to-find and expensive security pros is to invest in security awareness training for the entire organization. This makes a great deal of sense because security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all team members at your organization have an awareness of how security works and how it applies to their roles. The goal of a well-designed security awareness program is to increase organizational understanding and practical implementation of security best practices.

Final Words . . .

Instead of looking at some of the more exotic predictions of what “might” happen in 2018, get your year off to a solid start by reviewing how the security initiatives in your organization are addressing your security priorities. Then draft your 2018 security resolutions drawing on the ideas our experts have provided or others that you have identified. When you implement them, be sure to measure your progress during the year using well-defined KPIs. By doing so, you’ll be assured of developing good security habits and continually strengthening your organization’s overall security posture.

If you’d like more guidance on security issues and practices throughout the year, feel free to subscribe to the Threat Stack blog.