Never mind all those new year's resolutions. The turn of a new year is an opportunity to take take a long hard look at your information security strategies, policies, procedures, guidelines, forms, awareness program, intranet website etc. including things such as your corporate Employee Rulebook, Code of Conduct and IT/network/information Acceptable Use Policy.
Try to view them objectively from the perspective of an ordinary employee, perhaps someone who has recently joined the organization and hence lacks preconceptions about, and an understanding of, the corporate culture with respect to valuing and protecting information. If you acknowledge that perhaps you might be a little too close to the action to see things for what they are (particularly if you wrote the materials), ask other people about the documentation. Solicit their candid feedback. An informal survey may be perfectly adequate to flush out any issues with style, readability, meaning and impact, all of which are important if the documentation is to be motivational and effective. If the initial response is "Security policies? What policies?" you have your answer already!
Good on you if you have a fabulous suite of security metrics including appropriate measures and targets relating to the documentation: you presumably already have the data you need to assess the position, in fact you will have been monitoring and responding to the metrics all year round so the new year is nothing special. Oh look, look, flying piggies!
The new year is also a chance to review the broader context for information security, including aspects such as:
- The organization: what's new in the business this year that wasn't around at the start of last year, or whenever you last reviewed things? Has the organization structure stayed the same? What's hot and what's not? What about looking forward: are the business strategies, objectives and challenges any different to a year ago? What about the markets, products, third party relationships and so forth? It's a remarkably rare organization that sees no changes year-on-year, and at least some of those changes probably ought to be reflected in corresponding updates to the corporate and information governance, including information security. Aside from that, explicitly aligning information security with The Business is the key that unlocks a rosy future - trust me.
- Information security risks and control requirements: do your policies, procedures, guidelines etc. reflect the state of our art? Are you up to date with things such as wireless networking, social media, BYOD, cloud computing, tablets and [insert another current buzzword here]? What about current threats (such as ransomware and the NSA), vulnerabilities (such as that nasty one in [name virtually any Microsoft or Adobe product here] and business impacts (see previous point)?
- External compliance obligations: whether it is updates to PCI-DSS, ISO27k, or the myriad governance, security and privacy laws and regulations that affect us, compliance is one of those areas where shifts can be seismic. Hopefully, of course, you have not only kept up with developments in 2013, but you have stayed ahead of the curve ... which means now is a great time both to confirm that you are fully compliant with the existing raft of rules and regs, and will be compliant with forthcoming changes at the time they come into effect. Are there any ground-shaking changes on your radar already for 2014? If so, how about incorporating them into your strategies and plans? Compliance obligations are golden opportunities to push things along that, in most cases, ought to have been done right all along. Most of your colleagues implicitly accept the compulsion to comply, so with a sneaky bit of planning ahead, you can use that to your advantage.
Looking back at 2013, were there any recurrent nightmares in terms of information security incidents that refused to play dead? Is it clear from your metrics that you have a weakness in your technical controls, manual controls, physical controls, preventive controls, detective controls, corrective controls, compliance controls ... or has something else been the thorn in your side, perhaps a particular system, person, team, department, business unit, site, partner or whatever? Recurrent issues recur, and will probably continue recurring, until the root causes are resolved so it's no good turning a blind eye, no matter how intractable the problems seem to be. If the issues are too big for you to tackle, get some help. Find business colleagues who also experience the pain, and collaborate with them on a new approach for the new year.