“As a former CISO and a former analyst,” said Wendy Nather, head of advisory CISOs at Cisco, “one of the big questions that I feel we’ve never really been able to answer is how do we know what works in security? We know what people are doing, but we don’t know if it actually works. And that’s why I’m excited about what we found here.”
Based on a double-blind survey of more than 4,800 active IT, security, and privacy professionals across 25 countries and multiple industries, the study correlates 25 key security practices with 11 desired outcomes. As such, it goes beyond what security teams are coping with today, to see what’s actually working and prepare themselves to meet the challenges of tomorrow.
For the roundtable, Nather was joined by Mike Hanley, Cisco chief information security officer and Wade Baker of Cyentia Institute, a key partner in the study. In a wide-ranging discussion, they covered many of the top concerns facing security professionals today, everything from technology and talent to leadership and culture.
Hanley began by sharing some of the key themes that emerged for him in the study, including the closer alignment that’s needed between security and the business.
“We’ve dealt with a lot in 2020,” he said, “the effects of the pandemic, the changing world around us, changing business models, new ways of thinking and working. And to me, a key trend in the survey is how are you aligning your security strategy to where it contemplates the needs of the business and accelerates the transformation that your businesses are undergoing.”
Refreshed and integrated: top tech strategies for the new year
Given the challenges of 2020, many organizations are looking to shore up their technology infrastructure to be better prepared to be competitive and innovate. Their instincts were supported by the survey results, which showed that security teams that proactively refresh their technology, as well as integrate their tools, have the most success across the board, including significantly improving their risk posture.
“How do you maintain your technology?” asked Baker. “Do you only fix it when it’s broken or do you proactively upgrade and seek best-of-breed, newer, modern technology as part of your infrastructure? Those are very different strategies. The one that really works is the latter, that proactive approach.”
Having a well-integrated technology stack had a positive impact on nearly every security outcome, increasing the probability of overall success by an average of 10.5 percent. But as Baker added, “it’s one of the the highest contributors, but also one of the hardest to achieve according to respondents.”
The good news is that some of the most impactful strategies don’t require breaking the bank.
“When I saw that the top two most correlated practices work, proactive tech refresh and integrated tech, I thought, how does that help companies with very, very low margins or, government agencies concerned with good stewardship of taxpayer money. So, if you can’t do those things, what can you do instead? And it turns out that there are quite a lot of other things,” said Nather.
Cloud and SaaS security products can help close the gap. Affordable, subscription-based solutions are easy-to-deploy and integrate. And regular, automatic updates ensure the technology is continually modernized without additional cost or effort.
Wade Baker was quick to add that despite the cost of a technology refresh, in the long run it improved success over a wide range of outcomes, one of which was saving money.
“Having a strong, proactive tech refresh strategy,” he said, “upped the probability of overall program-level success, by an average of 12.7 percent. And running a cost-effective program is one of the outcomes we measured.”
Security’s secret weapons: culture, leadership, and diversity
Beyond technology, a strong, people-powered security culture was shown to be critical to success. And the discussion turned to how leaders can build that culture.
“A lot goes back to understanding what’s important to our business and what are we trying to protect,” said Hanley. “And have you actually cultivated a shared understanding of those things across many different functions of the business? It's not enough for you to unilaterally say, ‘well, I think this thing is important, therefore I'll protect it,’ but not contemplate the role of that asset or business process in how the company is operating or how it services customers.”
In that sense, everyone in the organization has a role to play in security, and the culture — and leadership — should support that.
“Even if the security team has ultimate accountability and ownership over the controls and mitigations that you put in place,” Hanley added, “it’s very important for your stakeholders to feel invested, feel heard, and feel a part of that decision. Make sure they understand what it is that you’re trying to do so that they don't feel like you're actually working against the business objectives that they're trying to achieve.”
In short, he continued, it’s about “changing your mindset from being the ‘department of no’, to becoming the department of ‘yes, and here’s how I'm going to help you get this done safely and securely.’” Mike expanded on this idea in a recent blog.
One critical element of your security culture is talent. There never seems to be enough of it on any team. And sourcing more diverse talent was seen as a key asset — on multiple levels.
“If you want non-traditional and exceptional results,” said Hanley, “you need to have non-traditional and exceptional recruiting and hiring practices. I have middle-school teachers who have been on my teams. I have artists, designers, people with liberal arts backgrounds. This diverse range of experiences, thoughts, and perspectives is actually what allows you to take a more holistic view of how people work with and experience technology security and business practices.”
The panel then spoke about how security teams can best use the study to ensure a safer and more productive year, tailoring it to their own situations — or as they called it: Choose Your Own Security Adventure.
“Overall,” said Baker, “one of the things I see across this entire study is there’s not one thing you can do to increase your chance of success by 90 percent. It's the combination of a bunch of little things done well, or better than average, that build a successful program.”
Nather noted this is an accurate reflection of real security teams’ experiences. Rarely do we see one practice have a huge impact. One of those things is a wise use of automation, she stressed.
“The best companies work on incident detection and response continually,” she said. “And they try to automate whatever they feel that they can make repeatable, consistent, and precise. But it’s not one big, massive, automated thing that is going to magically find everything.”
But she urged security professionals to explore the study and see which practices and desired outcomes best fit their organization’s unique needs.
Hanley closed with a final thought on not just understanding where the business stands today, but where it is going.
“My advice for security executives for the next year is to just get to know your business better,” he concluded. “The effectiveness of your team and how you deploy your security strategy is going to be limited by your understanding of the business around you. And maybe more importantly, get to know where the business is going. Here in Michigan we say, you want to skate to where the puck is going. It’s really important that the security strategy meets the business where it needs to be.”
We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.