The number one thing organizations can do to improve their security programs is to refresh their technology. That was one of the unexpected findings from a Cisco Security Outcomes Study released Dec. 1.
“This report will change how we think about running infosec programs,” said Wendy Nather, Head of Advisory CISOs, Duo Security at Cisco. The study is based on a massive survey of over 4800 security and IT professionals in 25 countries, including Canada. The goal was to measure what factors lead to the best security outcomes in order to provide guidance for security leaders.
“The one thing that jumped out at me right away is the idea of having a refresh program,” said Dave Lewis, Global Advisory CISO at Cisco Canada. Lewis said it’s a great example of how to improve security “without a lot of heavy lifting.”
To drive successful outcomes, security practitioners should also focus on developing a well-integrated technology stack and timely responses to incidents, according the report. Interestingly, the study found that big budgets do not correlate with cybersecurity success. Rather, success has more to do with defined repeatable processes that reduce risk, said Lewis. “You can buy all the tools you want, but it doesn’t help if no one’s looking at them.”
A tech refresh strategy to supports business growth
Survey respondents with proactive, best-of-breed technology refresh strategies were 11 to 15 per cent more likely to report successful security programs. “What appears to be a strong correlation between continually upgrading your tech and program success may spell bad news for organizations that use technology like furniture – meaning, it sticks around until it breaks,” says the report. Indeed, those who said their firms rarely upgrade infrastructure or do so only when things break showed significantly reduced rates of success.
Similarly, the report showed that outdated, fragmented infrastructure hinders the business. “Security must move, change, and adapt along with revenue-generating activities,” it says.
This doesn’t mean organizations have to replace everything all in one go, said Lewis. “They should, however, have a keen eye to making sure they’re current and things are documented. This will obviate a lot of the security issues that are introduced in older revisions of software and hardware.” It is more a matter of proper security hygiene, he said.
Lewis see this exercise as a “battle of increments. where you’re going through and each piece that you whittle away, you’re getting that much closer to a better security position for your organization. There is no way to boil the ocean for any organization.”
A well-integrated tech stack improves defences and employee morale
Ensuring that technologies work well together as an integrated defence increases overall success by an average of about 11 per cent. “Security buyers often have dozens of different tools from multiple vendors, and generally have to use a fair amount of duct tape to get them to work together,” says Mike Hanley, Chief Information Security Officer, Cisco.
A good technology architecture also increases the probability of building a successful security culture by seven per cent. It plays an important role in attracting and keeping top security staff. “Absolutely no one enjoys wasting their time and talents overcoming bad technology,” notes the report.
“Organizations should do a clear assessment of what they need and what they’re trying to protect in their organization,” advises Lewis. This is all part of playing good security offence and defence. “It’s not the same thing as taking two hockey sticks and duct taping them together and hoping for the best.”
A timely incident response process is good for business
According to survey respondents, timely responses to incidents improves security program success by almost five per cent. This requires thorough preparation, smart tools and tested processes. A good assessment of assets and applications provides better visibility, said Dave Lewis. “When an incident does occur, this gives them the ability to respond quicker.”
Surprisingly, effective incident response was also seen as a top business enabler. It’s not just about fighting fires, says the report. “It’s ultimately about handling unexpected events with minimal impact to the business.”
Organizations can also benefit from establishing a learning security culture, notes the report. It’s not enough to study the big public incidents for clues on how to avoid them, but organizations should conduct review of their own major incidents or near-misses. “Lessons learned are invaluable, especially when you review incidents within your own organization and learn from them,” said Lewis. “You can’t put a price tag on that.”