Ten New Year Resolutions Security Teams Can Actually Keep

New years are for momentum. For security teams that momentum should be deliberate, measurable, and practical. Here are ten resolutions that focus on reducing risk, increasing resilience, and delivering results without endless procurement cycles.

1) Build a one year zero trust roadmap and start small. Zero trust is a design philosophy, not a flip-the-switch product. Choose two high impact use cases to start with: protect privileged access and segment critical data flows. Use an incremental roadmap with quarterly milestones and measurable outcomes such as percent of high-risk services behind access policies and mean time to revoke compromised credentials. NIST’s Zero Trust Architecture provides the principles to turn theory into architecture you can implement.

2) Make phishing-resistant authentication a priority. Replace SMS OTPs and risky push-only patterns with phishing-resistant options where practical. Fast wins include rolling out hardware security keys for high-risk accounts and piloting passkeys for employees. CISA and FIDO guidance recommend phishing-resistant MFA and describe practical pathways for adoption. Aim to move your most privileged and externally accessible accounts to phishing-resistant authentication this year.

3) Put an SBOM program in place for owned and critical third-party software. A Software Bill of Materials is the inventory you need to manage component risk and respond faster when vulnerabilities are disclosed. Start with critical applications, require SBOMs from key suppliers, and automate SBOM generation in CI pipelines. The NTIA minimum elements for SBOMs give a pragmatic baseline for what to collect and why.

4) Embrace threat-informed defense with ATT&CK mappings. Use MITRE ATT&CK to prioritize detection and monitoring work by mapping recent incidents and telemetry gaps to specific tactics and techniques. Run one focused emulation or purple team exercise this quarter that tests detection coverage for your top three business-impacting scenarios. MITRE ATT&CK is a practical lingua franca for threat modeling and detection engineering.

5) Reboot vulnerability management with business context. Move beyond scanning schedules and focus on exploitability and business impact. Triage findings by exposure, asset criticality, and known active exploitation. Set targets like median time to remediate critical exploitable findings and validate fixes with follow-up scans or tests. Automate ticket creation and risk scoring so teams spend time fixing, not filing.

6) Run quarterly tabletop and one live play. Tabletop exercises are cheap insurance. Use realistic, scoped scenarios that include not just IT, but legal, communications, and business owners. Schedule one live incident simulation each year that exercises alerting, containment, and external notification workflows. Measure playbook accuracy and update runbooks within two weeks of each exercise.

7) Measure telemetry health and increase signal-to-noise. You cannot detect what you do not log. Audit critical log sources, centralize collection, and adopt measurable SLAs for log completeness and retention for key data types. Target a reduction in false positive alert volume by tuning detections and applying context enrichment from CMDB and identity systems.

8) Invest in automation where it reduces toil. Automate repetitive but critical tasks such as onboarding assets to monitoring, routine containment steps, and enrichment of alerts with context. Start with small SOAR playbooks that save analyst time and expand as you validate benefits. Track analyst time saved as a KPI to justify expansion.

9) Tighten supply chain and vendor security checks. Add a minimum security questionnaire and proof points for any new vendor handling sensitive data. Require evidence of secure development practices, SBOMs, and incident response timelines for critical suppliers. Prioritize remediation plans for vendors who touch sensitive systems.

10) Commit to continuous learning and realistic metrics. Schedule regular training that includes both technical exercises and threat briefings for leadership. Replace vanity metrics with ones that drive action: mean time to detect, mean time to contain, percent of critical systems with phishing-resistant MFA, and percentage of critical applications with an SBOM. Review these metrics with the business quarterly.

Keep resolutions practical. Pick two to four items from this list that map to your organization’s biggest risks and create measurable milestones. Use pilots and phased rollouts to prove value before scaling. Security teams should favor iteration over perfection. Small, measurable wins compound into real resilience.

If you want a one page starter checklist or an editable roadmap template to hand to your leadership, I can draft one you can adapt to your environment.