Your Security Resolutions for 2016

Posted on by Wendy Nather

We start the New Year with the best of intentions. We're going to join an ISAC and work out every day; consume only healthy and organic data; clean out our overstuffed Hadoop clusters and get rid of that out-of-fashion data; and measure our performance to match our goals. Oh yes, and we're going to stay within the security budget.

But making lifestyle changes is hard, especially in security, where cheeseburger risk management is endemic. So let's just throw out our own resolutions. Instead, we can generously create them for other people.

For CISOs:

  • In 2016, you resolve either to stop complaining about AV or get rid of it altogether.
  • You'll institute a new bribery program, where any employee who reports a security issue gets a cash prize (unless they created the issue to begin with).
  • Stop handing out your colleague's business cards at conferences; that's just mean.
  • When handling incidents, convince your PR department to stop using the phrase, "We take security seriously." Every public spokesperson gets a red clown nose.

For security vendors:

  • From now on, the following words may NOT be used in a company name: fire, threat, hack, cloud, cyber, red, blue, black, white, or any martial arts term. No, you can't get it past the filters by misspelling it, either.
  • In 2016, you resolve to stop ambulance-chasing on events that were just reported in the headlines. Instead, you will demonstrate your Awesome Predictive Powers by sending out marketing pitches before the events take place.
  • This coming year, you will get your own house in order before picking on others.

For security researchers:

  • For every live exploit demonstration for the Internet of Things, you will include safety helmets and a plastic tarp for the audience in the front row.
  • Start saving up for that graphic logo-design fund (you'll need it for every bug from now on). Consider trademarking new slang terms and shopping the movie rights as soon as your talks are accepted at Black Hat.
  • Also, just to be on the safe side, start saving up for that legal defense fund. Or at least have a friendly attorney to help you parse bug-bounty program terms and conditions.
  • Leave poor Barbie alone!!

For industry analysts:

  • Resolve to wear sunglasses at in-person briefings so that nobody can see your eyes rolling.
  • The industry needs more Magic Geometries to illustrate the market. Could someone please do the Magic Dartboard? Winning vendors hit the bull’s-eye; snake oil vendors can be over in the wood paneling outside the target zone.
  • Please stop coming up with new acronyms. It only encourages startup marketers, and confuses potential buyers.
  • Bring back "The Dating Game," only for mergers and acquisitions. Report on divestitures like celebrity breakups.

For governments:

  • Call off the war on encryption. You'll still find plenty of vulnerabilities in the software implementation and apps, and maybe it will prompt better application security overall.
  • Consider treating legislation like software updates. This would make Patch Tuesday a lot more exciting, and it would be fun to see the three branches of U.S. government try to implement DevOps.
  • Resolve to standardize government agency security budgets in units of bazillions.
  • We know you like to use the word "cyber" a lot, but it's like garlic: please use it sparingly outside the home. You can't tell how bad it smells to other people because they're too polite to say so, but this is why you're having trouble getting invited to parties.

Wendy Nather

Head of Advisory CISOs, Cisco

Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs