Protecting enterprises from data breaches, patching vulnerabilities, and addressing phishing or zero day attacks is no easy feat. Chief Information Security Officers (CISOs) and their security teams must work 24/7/365 to ensure their organization’s networks and sensitive corporate data remain secure and out of the hands of nefarious actors.

CISOs’ priorities vary depending on the size of their organization and whether it operates in a highly regulated industry such as healthcare or finance, and the various data security and privacy laws to which they may be subject.

Regardless of the industry, though, there are many shared challenges. Despite differences in company size, industry and location, CISOs generally share the following four high-level priorities: 

1. Managing cyber risk and tracking threat intelligence: CISOs and their security teams are responsible for identifying and managing risks to the organization’s information systems and data. This includes understanding the organization's threat landscape, conducting risk assessments and implementing strategies to mitigate risks. This also includes staying ahead of emerging threats, such as the use of AI to create and launch more sophisticated and harder to detect cyberattacks. 
2. Incident response & resilience: Another important part of security teams’ responsibilities is establishing and maintaining an effective incident response plan (IRP) and ensuring that the organization can quickly recover from a cyberattack or breach — an incident is inevitable, sooner or later, so this is critical.
3. Compliance and regulatory requirements: Keeping up with the increasingly complex regulatory compliance ecosystem is a full-time job in itself. In an environment of increasing regulatory scrutiny, CISOs must ensure that their organizations comply with a growing number of industry-specific regulations and data protection laws. These may include GDPR, CCPA, HIPAA, SOC 2 and others.
4. Building and fostering a strong security culture: In many respects, security breaches are still an “inside job” given the role of employees in most incidents, from poor security practices to critical mistakes. By creating a security-aware culture, often through continuous training programs and awareness campaigns for employees at all levels, CISOs can reduce the potential for human error and increase the organizations’ security posture.

Correcting two common misconceptions

Despite common obligations and priorities, security leaders should also be aware of two specific misconceptions pertaining to managing asset end-of-life, and their relevance to data security and environmental impact. The two common practices and misconceptions include:

Misconception #1: Decommissioned data center server drives 

There is a widespread belief that once decommissioned, data center server drives must be physically destroyed to protect the data left on them, 100% of the time. With a lifespan of just three to five years, according to some estimates, between 20 and 70 million very expensive HDDs reach end of life every year in the U.S., most of which are shredded and dumped into landfills — that’s a lot of scrap metal. However, destruction is not necessary, and there are alternatives available to make organizations’ data center decommissioning practices more secure and sustainable. Organizations can partner with an IT asset disposition company to have used HDDs securely sanitized, permanently removing any sensitive data and preparing the drives for a new life, either on the resale market or donating them to nonprofits in underserved countries or communities. 

Misconception #2: Applied data sanitization standards 

The most commonly applied data sanitization standard is NIST 800-88. Additionally, DoD 5220 is frequently mentioned. The latter is more than 15 years old and is recognized by experts as no longer the most effective way to sanitize data storage media. NIST 800-88, while still current, is at risk of falling behind newer storage technologies, as this standard was published in 2014. The emerging standard is IEEE 2883. Published in late 2022, this newer standard supersedes NIST 800-88 and DoD 5220 and outlines effective procedures for complete and irreversible data sanitization of the newest of storage media. Organizations should lean into using IEEE 2883 because it provides a standardized method for securely erasing data from storage devices, preventing unauthorized access to sensitive information when disposing of old hardware, enabling reuse and recycling of devices, and ultimately helping to comply with data protection and privacy regulations. It also minimizes environmental impact by enabling companies to confidently implement data sanitization (versus physical destruction) to prepare used IT assets for reuse while maintaining data secure

New year, new plan

As the year ahead brings new challenges and unforeseen threats, CISOs and their teams should evaluate the effectiveness of current security controls, aligning security initiatives with organizational goals, and prioritizing investments in key areas like cloud security, endpoint protection, and threat intelligence. Moving beyond commonly held misconceptions regarding asset end-of-life would allow CISOs to incorporate new best practices that don’t compromise data security and do support corporate sustainability objectives at the same time, and that’s a step in the right direction.