In April, Marvel fans finally received an ending to an 11-year saga when “Avengers: Endgame” premiered in theaters. Without revealing too many spoilers, the Avengers were tasked with undoing a finger snap (yes, a snap) executed by the villain from the previous movie. This snap was so substantial that it caused half of the universe’s population to vanish. The Avengers then spent the entire movie discovering a way to reverse this half-of-life-ending snap and preventing the villain from decimating the entire universe’s population.
While watching this movie, I began to contemplate what would happen if we eliminated all or even half of current security measures. What if organizations made no effort to train their employees on secure practices, or if we allowed both government and the private sector to have free reign on personal consumer information? What if no efforts were made to prevent new threats posed by drones or to enhance application security? Though this thought didn’t conjure the final battle seen from “Avengers: Endgame,” in which the characters are surrounded by fire, screaming, bullets, and aliens while fighting in a crater where upstate New York once stood, the vision of a world where security isn’t a priority is a worrying one. At the risk of sounding corny: We’re in the endgame now, and you must continually and actively keep your data and organization secure or risk losing it all.
So, what should S&R pros do to avoid any of the above scenarios? Forrester’s security and risk team has researched the variety of ways that CISOs can continue to keep their organizations secure. Below are some highlights:
- Historically, security awareness and training efforts have been halfhearted, and investment in more sophisticated solutions has been limited. CISOs struggle to justify security awareness and training initiatives, and many employees do not receive security training — a worrying fact given that many employees are unsure of their company security policies Jinan Budge and Claire O’Malley researched business cases for security awareness and training, which shows S&R pros how to measure the benefits of SA&T to justify more investments, as these initiatives can help CISOs instill a culture of security awareness among their employees.
- Though governments have typically been associated with surveillance, the private sector is now also a major participant in the practice of collecting, analyzing, and storing personal data. It is fully engaged in economically endorsed spying. Jeff Pollard and Claire O’Malley researched avoiding corporate scandal caused by the surveillance economy, explaining how to remain on the side of the data economy and steer clear of surveillance practices.
- Though application security is a top priority for global security decision makers, developers don’t have the skills or resources to code securely. Amy DeMartine and Trevor Lyness contend that security pros need to work within developer constraints to empower secure coding in new research about why you must show, not tell, developers how to write secure code.
- As drones become more common in commercial use, they introduce new enterprise risks. S&R pros need both a strategy to protect their organization from drones and to ensure that their own drone use is compliant with applicable laws and doesn’t interfere with others’ business operations. Merritt Maxim and Salvatore Schiano analyzed how to protect your firm from drones, and they discuss the ways in which organizations can better prepare themselves for increased commercial use of drones.
- Zero Trust continues to be a hot topic. Paul McKay, Chase Cunningham, and Enza Iannopollo wrote about Zero Trust adoption in the European market. CISOs in Europe face a unique set of challenges in implementing Zero Trust, which requires more upfront planning than would be necessary in some other regions.