This year marks the 30th anniversary of National Cyber Security Awareness Month (NCSAM). You remember that phrase…the more things change, the more they stay the same?
While much has changed over the last 30 years, some things remain true.
- Cybercriminals, known for being highly opportunistic, are a mainstay in the threat space.
- Throwing the newest bright shiny objects at a problem is not a cybersecurity strategy.
This year, I had the opportunity to meet with Cisco customers, government officials, and providers of critical infrastructure across the United States, Europe, and Asia. Naturally, there are cultural and regulatory expectations that make each unique. More interesting, is how much the cybersecurity world is struggling with the same pressure and too many voices.
Much of this noise is coming from technology vendors pushing the newest innovations without a clear strategy to solve our toughest challenges. This strategy of adding bespoke tools – new bright, shiny objects – to address point problems can quickly break down without an integrated architecture and larger strategy at play.
It may not be provocative, but regardless of what is being written in the press about the latest ‘bright shiny’ things (AI anyone?), as an industry, we still have fundamental, foundational gaps we absolutely must solve.
Developing a cybersecurity culture
A huge part of addressing risk and building resilience starts by developing a strong security culture amongst your employees. Cybersecurity truly is everyone’s job. You simply cannot grow a strong security culture without transparency, from internal stakeholders to third-party suppliers. I’m excited to see many small startup technology companies embed security at their core from the beginning. However, unless you are starting fresh, this is an unsolved challenge. At Cisco, we are pushing ourselves to be “bumper sticker” clear with our stakeholders. Invest the time to discuss and clearly communicate the impact of threats or vulnerabilities that can permeate risk across your company and ecosystem. Create a space where it is accepted to have difficult conversations about risk and security gaps transparently, this can open a door to collaborative problem solving. Finally, make sure the owners of the systems, assets, applications, and/or data understand their role – they own the risk!
Investing in the foundations
While everything cloud may grab headlines and may make a strong argument for security, very few organizations are cloud only. A hybrid cloud strategy, zero-trust approach, and a modern network helps lay the foundation for effective security. In nearly every risk-based assessment I’ve seen, the ability to have visibility and control from the network remains the critical risk control point. The network connects the data, applications, and services within any organization so that it can deliver goods and services to end customers. Overlooked and poorly maintained network gear can be the most appealing targets for an adversary. We have been sounding the alarm on the importance of updating and maintaining network infrastructure for years. This situation can no longer be ignored.
Treating cybersecurity as a team sport
No one should be doing this alone. Resilience is born and built in communities. When I’ve run into hard times, I reach out to one of my peers. In return, I encourage them to do the same. It’s no secret that security resources (time, talent, technology) are all scarce and in competition with other business imperatives, like developing products. As a cybersecurity community, we must anchor ourselves in in real-world evidence about what really works to improve security, and that starts with cooperative, candid, collaborative dialogue. We can and must explore with passion and energy on important topics like Software Bill of Materials and AI, but we need to be honest about what problems they are solving today, what they might solve in the future and clearly distinguish between the two. By having real conversations about risk, we can help each other bolster and mature our security cultures. And that makes us all more resilient.
Cisco has been building systems that remain critical for communications for over 30 years. We continue to push the boundaries on what ‘good security’ looks like. We’ve come a long way and have learned a few things along the journey. It is our duty and honor to share what we’ve learned.
If you need us, please reach out.
For more information on Cisco’s 30-year journey and commitment to security and trust, visit our Trust Center.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels