Feature Story

The Fab Five: A practical guide to what works in security

Cisco’s Wendy Nather shares her thoughts on the top security practices that drive the best outcomes.

Securing an organization is an ever-changing and never-ending challenge. That’s why it’s so important to pinpoint the strategies that work (as opposed to the ones that teams think are working).  

Cisco’s Security Outcomes Study does just that. Based on independent research conducted for Cisco by the Cyentia Institute, it centers on an anonymous survey of 5,100 IT and security professionals in 27 countries. And it pits key security practices against a wide range of the most desired outcomes, everything from avoiding breaches, keeping up with the business and minimizing unplanned work, to recruiting and retaining talent and meeting compliance regulations 

In this interview, Wendy Nather, Cisco’s head of advisory CISOs, shares her thoughts on the Fab Five, those top practices the data revealed that drive the best outcomes. 

Q. Thank you, Wendy! Cybersecurity is a never-ending challenge, and for most organizations the stakes are higher than ever. What was the overall goal of the Cisco Security Outcomes Study, and how can it help?

A. As a former CISO, I would get all sorts of benchmark reports. And what really bugged me was looking at lists of what my peers were doing and thinking, “Well, what if some of my peers are really bad at security?” What I’ve been much more interested in for most of my career is what actually works. So, that was the impetus behind the Security Outcomes Study, not just to ask people their opinions on what they thought was working, but to do an objective study.

Q. The Fab Five are the key strategies that statistically correlated to the best outcomes. Could you share some key highlights that emerged from the data for each, starting with proactive tech refresh? 

A. At first, I felt that tech refresh was probably based on conventional wisdom, the thinking that everything new is better. So, I was really taken aback to see just how strongly a proactive tech refresh strategy correlated with all of the outcomes. And along with the second, having integrated technology, it was, far and away, statistically more impactful than other practices. 

It probably won’t surprise anybody that if you have modern, centralized, and cloud-based technology and architectures — those three things — then you are the most likely to be able to do really well at proactively refreshing your technology. But the important thing to note is that even if you don’t have cloud-based technology, the data told us that as long as it’s modern, and as long as it is consolidated, you are still going to be in a really good position to update it.

Q. What are some other insights that emerged around a well-integrated technology stack?

A. Most of our respondents preferred to get out-of-the-box technology integrations, rather than building the integrations themselves, or going with a single vendor who has everything integrated. But while they preferred to get out-of-the-box integrations, the ones that correlated the most with actually having good tech integration were the ones that got it from a single vendor. So, they preferred one thing, but what really worked was a different thing.

Q. Speed is of the essence in a security breach. How can organizations attain a timely incident response?

A. We found some interesting data around this as well. Our respondents tended to feel that they were doing the best when they had their incident response program outsourced. However, if we took a metric like, mean time to respond, we found that companies that had insourced their incident response, kept it in-house, were actually faster. But again, the ones who outsourced felt better about it.

We also found that if you were completely outsourced or completely insourced, you had a certain level of mean time to respond, but it got a lot worse if you had a mixed model. So, if you had some of your incident response outsourced and some on-premise, the mean time to respond went up. I suspect this has to do with one side calling the other after an incident is detected, and then figuring out who owns it. We’d need to study this further, but having a mixed model does appear to complicate things.

Q. Even with a great defense, organizations should still assume they can be hacked. How can they ensure resilience and recovery after a cyberattack?

A. There’s some things we found that really do help to get better at being resilient. One of them is simply having your business continuity and disaster recovery program overseen by somebody at board level. I think that’s probably because your organization is more likely to pay really close attention to security. You’re more likely to get the resources that you need.  

Another interesting thing is that there was a significant difference with companies that used chaos engineering or implemented a Chaos Monkey, which is a program that deliberately goes out and breaks random things, so that you can practice fixing them. They did much better at incident response and resiliency. My theory is that if you are practicing the same scenarios for incident response over and over again out of the same playbook, it limits you. Whereas if you have a Chaos Monkey, you never know what they’re going to break, and you get practice responding to unpredictable and unplanned events. And that makes you even better.

Q. And how can teams better prevent a breach with accurate threat detection?

A. One thing we learned is that to get really good at threat detection and response capabilities you need to focus on people, process, and technology, all three of these areas. And if you are good at all three of them then your competency in this area is going to be at the top. However, we didn’t find that any one of those three was more important than the others. So, basically, if you pick any two then you’re going to do better.

That was interesting in terms of adding automation to your incident response and threat detection. We found, for example, that adding automation will help compensate for having very junior people. If you cannot get the senior level of skills that you need in your program automation can help you bridge the gap. 

Q. This survey was conducted anonymously by a third-party research firm. But how do these five strategies align with Cisco’s security offerings?

A. I would say that they are very much in line. People might roll their eyes at a Cisco survey that says refresh or integrate your technology, but this is what the data told us. And even we were surprised at the extent to which these made a difference across the board. 

Q. Any final thoughts on security, moving forward? How optimistic are you for the coming year?

A. I’m feeling pretty optimistic. I think that we’ve lived through one of these experiences that will have us coming out stronger and more flexible. I know that a lot of our customers are saying that before the pandemic there were security measures that they couldn’t get approval to do, but now they are feeling there are more possibilities. And they’re feeling more capable. 


Related content: