With technology advancement at our heels and years of global pandemic pandemonium mostly (hopefully) behind us, resilience has fast become a hot topic. Why? Because organizations are searching for solutions that will help them respond to intensifying changes and threats in ways that protect all the investments they’ve made in their business.
But what does resilience mean anyway, especially to security professionals? Cisco set out to define what security resilience means in the real world—with real programs—and more importantly, codify how organizations are building it successfully. We surveyed 4700+ IT and security professionals across 26 countries for the Security Outcomes Report, Volume 3: Achieving Security Resilience. The findings uncovered seven success factors to achieving security resilience—factors so essential that, if all are successfully implemented, they could push an organization’s resilience levels from the bottom 10th percentile to the top 10th. (I mean, which percentile would you rather be in?)
Those seven factors are:
- Executive support
- Culture of security
- Resources on reserve
- Simplified hybrid cloud environments
- Zero trust adoption
- Detection and response capabilities
- Secure access service edge
Resilience is more than a buzzword, and this report backs up that assertion with some compelling findings. To dig deeper into those findings, I sat down with Cisco Secure’s CISO Helen Patton (one of my personal idols). We discussed her perspective on key elements of the report. Here’s what Helen had to say.
Helen Patton’s takeaways from the Security Outcomes Report, Vol. 3
Tell us about the report! Can you give us some background information?
Three years ago, we started with the first version of the security outcomes series to find out what actually worked in security and what actions led to positive outcomes. We came up with a list of what people were doing that had a positive security program outcome. Then we did another study the following year where we dove deep into those top five actions to better understand how they achieved those positive outcomes. But over time, we’ve seen a lot of executive awareness of cybersecurity and what that means for the business. So, for the report, we are really exploring what it means to be security resilient, what activities security teams can do to help an organization be resilient, and most importantly, what actually works.
Why do you think “security resilience” has become such a buzzword?
You see it everywhere! I think everyone struggles with what the value of security is. A lot of the time we think we do security because we have to, or because a regulator is telling us to. But the point of security is that if we do it well, an organization is free to do what an organization does. How do we use security as an underpinning and enabler for all the things an organization does? In short, we build security resilience.
Do you mind sharing some of those key resilience priorities that organizations are looking to achieve?
The outcomes report came out with seven things that an organization could do that would really make a difference in terms of their security program. One of the main things is getting executive buy-in and sponsorship. If an organization isn’t completely all-in with your security program, it really isn’t secure.
Others were maturing zero trust and moving to the cloud. But moving to the cloud quickly. There’s certainly resilience if you’re 100% on-premise or 100% in the cloud, but if you’ve got hybrid space, actually organizations’ resilience scores went down by about 15%. The report didn’t suggest you not go to the cloud, but be intentional when you do. Don’t end up in that mushy, hybrid middle of the road, which is actually really hard to secure. What last year’s report would suggest is to have a specific program to get rid of old security technology and adopt something that is more protected and more updated that will allow things like automation and new solutions to be deployed across your organization to help with resilience.
In light of the global cybersecurity talent shortage, why do you think it ranks lowest as a priority?
I suspect it’s because solving the talent shortage is the hardest thing to do. Hiring and retaining security talent was ranked the most difficult of these seven security resilience activities for everybody across the board, no matter the size of the company or the location. It’s easier to talk about having the right tooling, the right architectures, the right kind of board engagement.
The problem of security talent retention is impacting everybody everywhere and it’s a difficult, thorny problem. But we all know if we don’t have that talent, we can’t be resilient. So, we need as a collective community to be able to resolve this problem. And that’s going to take partnership between government, academia, and the private sector to bring in and train up people to be security people—whether or not they’ve got security in their title.
Any recommendations for hiring and retaining cybersecurity talent? You talk about this a lot in your book, Navigating the Cybersecurity Career Path.
There’s been a number of reports industry-wide on this. It’s really hard to train an employee to be curious, innovative, and self-studied. So you hire for that and you train on the job. If you don’t have people with the skills to train someone on the job, then you reach out to resources like Cisco Academy or someone like me who comes in and talks with your teams.
We need to hire for capability and potential, not tech or security background. Don’t get me wrong, there are some jobs where you absolutely need security experience. But there are plenty of people who have project management experience, business analyst experience, and math experience. Some of my best security people were musicians by trade. We need to be moving people laterally into security, not only straight up through high school. We’ve got to be coming in from both directions because the need is too great.
How do the experiences of executives and security professionals in the field differ when it comes to security resilience?
One finding I thought was interesting came from asking both C-suite security people and professionals who are the “doers” of security what resilience outcome they valued the most. We found that the security executives’ highest priority was actually not preventing incidents, but mitigating the risk and financial cost of an incident actually occurring. Whereas the security doers wanted to prevent any bad thing from happening at all. Both of those things were valuable, but we do have a bit of a mismatch in priorities. This also explains why it’s sometimes hard for security people to talk about security with executives, because what they want from programs is a little different.
As a CISO, do you have any personal thoughts about the findings?
If you’re a CISO and you’re trying to roll out a security program, often executives will come to you and ask you how what you’re doing compares to what other people are doing. They ask you to benchmark your work. And the challenge with benchmarking is that every organization does security differently because the business they’re in is different. Even if it’s the same industry, your risk appetite is different. Let’s say you’re in healthcare—the risk appetite of your hospital might be different from the risk appetite of another hospital.
So trying to benchmark by looking at other organizations is not comparing apples to apples, but here in Australia it’s apples to marsupials. This report doesn’t limit you to a numerical benchmark but gives you the ability to look at what similar organizations are doing that statistically generate positive outcomes.
So now I can choose my own path from the report. If I want to improve executive buy-in, this is how I might do it. If I want to improve the cloud, this is how I might do it. If I need to then sell that to my executives, rather than saying I’ve done a benchmark, we can choose a strategy that’s got the rigor of this report backing it up. So that’s how I would use this report as a practitioner.
These findings are actionable.
What we love about the Security Outcomes Report is that it takes more than a data-centric approach—the results are completely actionable. We practice good security hygiene, communicate between executives and front-liners, move forward with tech advancements, train up new cybersecurity professionals, and so much more to achieve security resilience. But why? What is all this effort for?
I think Helen really drove the answer home. To paraphrase this wise CISO, we’re taking these actions because if we do them well, we’re enabling organizations to do what they do best, unencumbered. That, after all, is why a resilient security function is so vital.
Read the full Security Outcomes Report, Volume 3: Achieving Security Resilience to discover those seven resilience outcomes and learn how you can secure your business, no matter what the future holds.
For a quick overview on report findings, take a look at the Interactive infographic: The Seven Obstacles to Security Resilience
Explore more blogs like this:
- Can you hire your way to security resilience?
- The Power of Relationships, Executive Buy-in, and Security Culture for Bolstering Resilience
- Why Zero Trust Helps Unlock Security Resilience
- Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels