Specific security practices directly correlate to program-level outcomes, Cisco contends in its new 2021 Security Outcomes Study, which aims to help practitioners identify actions that propel the best security results.
The study’s hypothesis is simple yet compelling: To get where you want to go you have to know not only how to get there but what you need to happen once you’re there. In other words, why do even the largest companies with the biggest security budgets still struggle to achieve certain outcomes? What do they need to manage their security risk--new technology, more training, better incident response or something else? The bottom line Cisco asks in the study is how can a security team determine what works best for their unique situation?
“Many security studies (and programs) start by focusing on what we’re doing rather than where we’re headed,” Cisco said in introducing the study’s findings. “But a successful security program isn’t just a set of directions; it’s a journey toward a destination.” Cisco put some hard data to address its open-ended questions. The vendor surveyed, through third parties, some 4,800 IT and privacy professionals across 25 countries in a double-blind study. Respondents were asked about their organization’s adherence to 25 security practices spanning governance, strategy, spending, architecture, and operations, and their program’s success across a dozen high-level security objectives to enable the business, manage risk and operate efficiently.
As for the survey’s top-line results:
- Change is a primary factor in cybersecurity success. On average, programs that include a proactive, best-of-breed tech refresh strategy are roughly 13 percent more likely to report overall security success, the highest of any practice and an indication of the importance of cloud and SaaS solutions.
- Firms that rarely upgrade infrastructure or only do so when things break showed significantly lower levels of success.
- Evidence that security practices affect program-level outcomes: Out of 275 practice-outcome combinations, 45 percent show significant correlation, indicating that specific practices affect the likelihood of achieving a certain outcome.
- A well-integrated technology stack has a positive impact on nearly every outcome evaluated, increasing the probability of overall success by an average of nearly 11 percent and improving recruitment and retention of security talent.
- Knowing potential cyber risks appears to correlate the least with overall success. Practices such as timely incident response and accurate threat detection correlate much more strongly with overall security success.
- Integration is the most significant factor in establishing a security culture that the entire organization embraces. Instead of traditional security training programs, which did not correlate with positive culture, investing in technology that is flexible and frictionless is the better choice.
- Across all 25 practices, those in the architecture and operations category appear most challenging to do well.
- Programs are most successful in meeting compliance regulations. Security programs struggle the most with avoiding unplanned work and wasted effort.
- NIST Cybersecurity Frameworks: The Identify function ranks #1 and the Protect function ranks next to last in program success.
- Minimize the impact of COVID-19 on operations: Maintained a modern IT and security infrastructure, invested in role-based training, and kept top executives informed.
"Security practitioners need to make fast, informed decisions,” said Mike Hanley, Cisco chief information security officer. “Yet they are often armed with dozens of tools from multiple vendors, requiring a fair amount of duct tape to get them to work together. This creates complexity, cost, and overhead," he said. Nevertheless, said Hanley, “even in the face of an ever-changing threat landscape and shrinking budgets, successful security outcomes are possible."