This week, we released the Cisco 2015 Annual Security Report and used it as a platform to introduce the inaugural Cisco Security Manifesto. Our motivation for creating this set of security principles was to underscore to organizations that they must be more dynamic in their approach to security so they can become more adaptive and innovative than adversaries—and better protect users.
Here’s a quick overview of the five basic principles of the Cisco Security Manifesto:
- Security must be considered a growth engine for the business. Security can’t stand in the way of user productivity and business innovation. It is less likely to become a roadblock if security teams are included in conversations about new technology deployments.
- Security must work with existing architecture and be usable. “Architecture overload” is what drives users to circumvent security architecture, leaving the organization less secure.
- Security must be transparent and informative. If users can’t take a certain action because of security, they should be told why—and be offered a safer way to achieve their goals, if possible.
- Security must enable visibility and appropriate action. Security teams need to be able to verify that the security solutions the organization relies on are truly effective.
- Security must be viewed as a “people problem.” People, processes, and technology together must form the defense against today’s threats. Security technologies are merely tools.
For some time now, we at Cisco have been saying that to deal with today’s biggest security challenges, organizations need a simpler, scalable, threat-centric approach that addresses security across the entire attack continuum—before, during, and after an attack. The Cisco Security Manifesto is intended to help organizations evolve toward that approach, and gain a broader view of the attack continuum.
While many threats can be avoided, compromise is inevitable. “Real-world security” means not only having the ability to reduce the time to resolution when compromise does happen, but also to keep users, the ultimate assets, protected. And it has never been more important for security teams to focus on improving user protection. As the Cisco 2015 Annual Security Report explains, users are not only targets for today’s adversaries, but they are also now “the complicit enablers of attacks.”
We suggest that embracing the principles in the Cisco Security Manifesto, or a similar set of guidelines, will better position organizations to help every user—from the chief executive to the newest hire—to understand their place in the “big picture” of security. When users no longer need to engage in risky behavior for the sake of doing their jobs and also understand the potential security consequences of their actions, security teams can better protect them. And better-protected users are far less valuable to adversaries who rely on them to be weak links in the security chain.
As they say, knowledge is power.