In 2020, a world going digital was accelerated by COVID-19, requiring companies to enable remote workforces overnight, without planning or preparation.

This shift required chief information security officers (CISOs) to ensure digital security was in motion, while recognising new and emerging threats, ensuring business continuity in a workplace that now featured a multitude of systems, networks, devices, programmes and processes in the making.

As cyberattacks increase in number and sophistication, 2021 is unlikely to be any different. Based on what we've seen so far, the pandemic will persist long into this year, and the virtualized workplace will expand as businesses grow.

Both situations mean increased CISO workloads and more imponderables. We will dedicate ourselves to presenting mandatory areas that CISOs should still focus on in 2021, in order to better link cybersecurity to business agendas.

1. Make cyber security a permanent board agenda

As digital transformation has become the core component of almost every business process, security has become a business concern and as a result, cyber security should be firmly on the boardroom agenda of every organisation.

The role of a CISO has evolved significantly from focusing only on technology to also considering business risks. They must engage with their peers in the business units, explaining the importance of having a robust cybersecurity program.

Management-level boards and forums should serve as an essential means of engaging stakeholders to drive strategic initiatives.

2. Maintain investment in cloud security

As companies continue to migrate to the cloud, CISOs must prepare against more (specific) threats - data breaches, denial of service, insecure APIs and account hijacking, among others - simply because the increasing amount of information in the cloud attracts cybercrime.

Most cloud service providers include built-in security services for data protection, regulatory compliance and privacy, secure access control capabilities for effective security risk management and public cloud protection.

Still, it is critical for organisations to build a robust and permanent strategy for risk management framework, secure cloud design, security governance and cloud skills expertise as most incidents occur due to the lack of a good security strategy in the enterprise.

3. Implement basic IT hygiene

Cyber security is no longer the sole responsibility of IT and security teams. Security is only as strong as the weakest link.

Therefore, it is critical to ensure that each individual is aware of and agrees to be an integral part of the ecosystem by understanding and practicing IT hygiene, which will provide a healthy security posture.

IT hygiene is the first line of defence an organisation can adopt by identifying what it wants to protect, where those entities are located and who manages them. Answering these three questions in a structured format and process is the essence of IT hygiene.

4. Build security without borders

The remote and distributed workforce works by accessing resources in the cloud, from the use of collaborative platforms to essential work-related applications.

Workflows occur primarily on the public network or on untrusted devices, thus extending the perimeter of the enterprise beyond the traditional boundaries of an organisation.

Borderless security is the need of the hour to ensure protection while business continues to run from kitchen tables and living room sofas.

5. Create a culture of cyber security

A security culture is an essential part of the wider corporate culture that encourages employees to make decisions and carry out their daily tasks in accordance with the organisation's cyber security policies.

Business leaders need to nurture an organisational mindset that prioritises cyber security by empowering employees with adequate training to identify and report threats, create communities and conduct cyber security awareness sessions in creative and fun ways, and reward and recognise employees who contribute to a secure organisation.

6. Modernise the enterprise security architecture

The current landscape in most organisations is driven by the following themes: the expectation of having access to enterprise resources from anywhere, any device and remote infrastructure and IP protection, the ability to support cloud solutions and passwordless authorisation, the demand for automated, continuous compliance and zero-trust based network models, and a shift to security as a code and adherence to data privacy mandates.

These themes are dictating the changes that need to be made to the enterprise security architecture.

7. Make the most of innovations

Trends show an increase in sophisticated cyber attacks using advanced technology in the areas of denial of service, malware, phishing, crypto-jacking, SQL injection, zero-day vulnerability exploits, watering hole attacks, social media disinformation and fake accounts.

Hackers with less technical skills turn to off-the-shelf, easily available hacking toolkits. To stay one step ahead of cybercriminals, organisations need to invest in solutions using the latest and emerging cybersecurity technologies, such as AI and deep learning, user and entity behaviour analysis, blockchain, next-generation breach detection and zero-trust network solutions.

Organisations need to be aware and alert to the changes happening around them, the vulnerabilities present in the system and the technological innovations happening in the cyber security space to stay one step ahead of cyber criminals.

Each organisation needs to find its own approach to cyber security

Prevention, risk management and mitigation are essential, although there is no one-size-fits-all approach to cyber security. This should also take into account, where applicable, poor budgets, inadequate availability of technically trained staff and infrastructure, and legacy solutions.

CISOs continue to guard against employee behaviour ranging from careless, disgruntled and malicious. Here, an assessment of business risk and not just technology risk will make the magnitude of what is at stake more appreciable.

The fact that the CISO designation didn't exist a few years ago is testament to the importance of IT security in today's world. Pandemic may have dramatically raised the stakes for CISOs, but the "ball is still with them".