Security practitioners need to make fast, informed decisions. Yet they are often armed with dozens of tools from multiple vendors, requiring a fair amount of duct tape to get them to work together. This creates complexity, cost, and overhead, according to Mike Hanley, Chief Information Security Officer at Cisco. The internet product firm has published its 2021 Security Outcomes Study.
Getting back to the basics is not as simple as it sounds, the report says. “Security professionals used to have to fight hard for executive attention and support, but respondents indicate that we’ve come a long way in that regard. On the other hand, some of the fundamentals that the industry has been working on forever, such as threat detection and vulnerability remediation, remain a challenge for many.”
The study recommends a ‘proactive tech refresh strategy’ while admitting that isn’t always that easy for some. “Some don’t have the budget; some need to focus their resources and efforts elsewhere for various legitimate reasons. The good news is that these results DO NOT relegate such organisations to certain failure. It simply means they need to identify alternate success factors that work for their situation.”
Having a sufficient security budget was one of the factors tested, but it did not significantly correlate with overall success. “So good security isn’t just about the money.”
You can’t do cyber security well if you can’t do IT and development well (and vice versa). “And if that’s true, doesn’t it make sense to communicate and collaborate so everyone’s more successful?”
As a stand-alone practice, simply knowing potential cyber risks appears to correlate the least with overall success. This may seem surprising, but points to the importance of a comprehensive threat intelligence and incident management program with the ability to both mitigate and remediate. In fact, the company suggests, practices such as timely incident response and accurate threat detection correlate much more strongly with overall cyber success.
The study suggests that cyber security programmes are most successful in meeting compliance regulations. They struggle the most with avoiding unplanned work and wasted effort. Many C-Suite executives view cybersecurity as insurance against landing their company in the headlines for a major breach or business interruption. Those fears may be why accurate threat detection and prompt disaster recovery rise high among factors that correlate with gaining executive confidence, the report says.
See also Mike Hanley’s blog entry.
About the study
Some 4,800 security, IT and privacy professionals across 25 countries were surveyed. Visit cisco.com/go/securityoutcomes.
