Given the ever-increasing sophistication of cyberattacks, security resilience is no longer just a good thing to have. It’s essential.
That’s why Cisco’s Security Outcomes Report, Volume 3: Achieving Security Resilience focuses on what smart organizations are doing to attain it. Based on survey responses from more than 4,700 participants across 26 countries, the report identifies seven top success factors that boost enterprise security resilience.
We spoke with Wendy Nather, head of advisory CISOs at Cisco, for her unique take on what organizations need to be doing.
Thank you, Wendy! First off, maybe we could start with your own overview of security resilience. How do you define it?
Security resilience for me is about mitigating the effects of a breach, once the event happens. Of course, you need to do all you can to prevent a breach. But you have to operate under the assumption that you will get breached — and keep the business operating. Because even if it’s operating in a degraded capacity that’s better than being completely down. So, it’s all that you need to do to get back to a normal operating state as quickly as possible.
Given the results of the latest Security Outcomes Report, what is the state of security resilience as of 2022?
Well, 96 percent of our respondents said that security resilience was top of mind for them. But while 37 percent said they were confident that their organization would remain resilient through a worst-case cyber event, 63 percent said that they were less than confident.
The report identified seven key success factors for security resilience. Let’s start with executive support.
It may sound obvious but looking at the average resilience scores that we calculated in the study, those who had a higher score said that they had established executive support. If you do not have executive support, there is very little that you can do to gain a positive security outcome. I think this also plays into the argument about to whom CISOs should be reporting in an organization. My personal opinion is that it doesn't matter that much. If you are reporting to the CIO, CFO, CEO, or whomever, you can be successful as a CISO if you have their support.
Beyond senior leaders, the study highlighted the importance of an organization’s overall culture.
Culture is often waved off as the annual awareness training that compliance mandates. But security culture is a lot more than that. I would summarize that culture is what you do every day. When you have a strong security culture that helps support your employees, your partners, even your customers, it helps everyone make the right security decisions each day. In our study, having an excellent security culture resulted in the highest increase in security resilience: 46 percent over not having it.
The third success factor was having additional security resources in reserve — on the bench, so to speak. How can organizations add those resources?
A lot of a lot of CISOs have put external resources on retainer, like incident-response vendors, and that’s great. But it only takes you so far when it comes to responding to an incident, because that external company, even if they’ve engaged before the event, often don’t have the institutional knowledge that your internal people do. So, there could be a delay.
Part of the answer might be to free up people from other areas internally — like IT or business units — in an all-hands-on-deck situation. If an event happens, you can pull them in right away. A big part of building a security culture is internal training, cultivating security skills in people who may not come from a security background per se.
Especially when transitioning to hybrid cloud environments, IT and security teams battle with complexity. How can they manage it?
There can be a significant drop in security resilience as you’re working your way from on-premises to hybrid. So, you need to be thoughtful and do that transition in a way that reduces complexity. When you only have one environment, everybody understands how things operate. But you have to evolve your techniques for dealing with security events when you’re moving to cloud. Your people may have skills for on-premises infrastructure, but they’re not trained in the cloud. And everybody needs to learn it — networking people need cloud training, just as much as developers, system administrators, everybody. They need to strengthen that muscle, make it automatic so that they can respond with the same speed. You also need to know where the lines are — where you stop and where other, possibly external teams begin.
Zero Trust models were touted in the study. What are their advantages?
Well, Zero Trust offered a 30 percent boost in security resilience in the study. And I believe it’s going to be the baseline for good security moving forward. In Zero Trust, you are not relying on assumptions like we did in the past. We have better technology to be more explicit about what and who we’re trusting to do what and for how long. And that framework plays into much better security operations and better security outcomes.
Given the wide range of threats today, detection needs to be more sophisticated than ever before. How can security teams up their detection abilities?
One key we discovered was to not just to do things like drills and penetration exercises more often; it was to have variation in what you practiced. Chaos engineering, or a Chaos Monkey, can randomly break things so that you can practice detecting, responding, and fixing them. Organizations tend to have their favorite scenarios and tabletop exercises that they do over and over. But when you have something that is chaotic and random, it makes you respond to things that you never thought of before. Because with security, you’re always facing things you’ve never seen before. So, practice frequently and invariably and involve not just the security team, but as many different business areas as possible.
And now for our seventh success factor: given the highly distributed cloud environments in which we operate today, how can companies take their security to the edge of the network?
Well, I describe SASE as just moving the network security controls closer to where the users and applications are today. They’re not in the data center anymore. They’re not in the office building. They are out there everywhere, especially with hybrid work, so by taking it to the edge SASE is simply moving controls and visibility closer to where the users and applications are, for a faster response. In our study, having those edge capabilities boosted resilience scores by 27 percent.
Thank you again, Wendy! In closing, any thoughts on how security resilience aligns with Cisco’s purpose of powering an inclusive future?
In my view, powering an inclusive future for all includes ensuring security for all — and building a safe and secure internet to hand to the next generations. Because security needs to be for everyone, not just large tech companies and governments. And we can’t power an inclusive future unless we’re securing that future for everybody.