Most days our team is laser-focused, working towards the common goal of mitigating and futureproofing against cyberthreats. However, I believe it is equally important to take time, step back and learn from the larger security community. That’s why every year, I prioritize attending RSA, the annual San Francisco security event. This event brings together security professionals to exchange ideas, share success stories, and examine failures. It is critical for us as an organization to continue to learn and grow from our community and to hear from analysts and security influencers who are taking a macro look at our industry.
Security professionals are a tight community because we all face a common enemy, cyberthreats. What differentiates us is how we approach and solve the myriad of challenges that defending our organizations presents. At Cisco, we’ve been looking at strategies that are outcome focused. Knowing that it is both costly and difficult to take a one-size-fits-all approach to network security, we suggest a risk-based approach that is more nuanced, cost-effective, and places the strongest protections on the most valuable assets. Through this approach, we are trying to help our customers build ‘security resilience.’
Security has become a C-suite topic, a business problem, and that has prompted organizations to dedicate resources to improve security resiliency and to prepare for a breach.
“62% of organizations have experienced a security event that impacted resilience.” Cisco Security Outcomes Report, Vol 3.
“Security resilience is top of mind among executives; 96% of them consider it highly important to their business.” Cisco Security Outcomes Report, Vol 3.
Security resilience is the ability to protect the integrity of every aspect of your business so it can withstand unpredictable threats or changes and emerge stronger, and a risk-based security strategy is an effective way to develop security resilience.
Practically speaking, a risk-based approach looks at the threat, the vulnerability, the probability, and the impact of a threat or threats, and then fortifies defenses, operations, and continuity plans accordingly.
First, you need to understand the weakness in your environment and what is happening outside of the organization that may impact you. Since you cannot protect what you don’t know about, and because no organization is static, there may be misperceptions about just how strong an organization’s overall security posture is. So, we recommend uncovering your perception gap and identifying vulnerabilities in technology, processes, or training. That knowledge provides the opportunity for you to course-correct, remediate, and bolster your defenses.
We know that where to start can be a challenge in the current environment with persistent security talent shortages and the consistently increasing complexity of both hybrid infrastructure and hybrid work. That’s where security assessments and security penetration testing, based on industry best practices, can be of enormous value. Technical assessment, threat hunting, and Red Team exercises can help an organization uncover the gap between perceived and actual security posture. And penetration testing provides a real-world picture of how well an organization can resist attacks. It also produces detailed vulnerability information that allows stakeholders to begin the remediation process.
RSA pro-tip: we’ll be featuring a ‘Lightning Talk’ called “Stories from the Trenches: Application Insecurity”, that details the real-world use of security assessments that have helped Cisco customers, from a variety of industry verticals, tackle some challenging security problems.
While security assessments/penetration testing is a great place to start a proactive journey to security resilience, it truly is a first step. Organizations should adopt a lifecycle approach that uses continuous assessments/penetration testing, and takes steps to thwart bad actors, by making it both hard and expensive to succeed. This means not only fortifying your defenses but also having the ability to adapt as threats do. We believe there are two, architectural elements that help define a strong defense: a simple, yet robust architecture such as the Cisco Security Reference Architecture, as well as optimized security operations through a robust detection and response solution.
But we also need to be realistic. Even organizations with the most robust security posture can experience a breach; threats evolve quickly, and the threat landscape has grown so much. Your organization’s ability to anticipate, manage, and recover from a breach quickly, gracefully, and without tarnishing your reputation or bottom line is part of building security resilience. A lifecycle approach means having not only proactive guidance, but also emergency resources at the ready. An incident response retainer provides both proactive services and reactive help if you need it.
This year at RSA, the Cisco booth will feature talks and demonstrations on what we’ve discussed here. In the Moscone Center, you can look for our Lightning Talk in the South Hall (S-1027) and in the main Cisco booth (North Hall, N-5845) you will find demos of an array of our services that support the security lifecycle. I will be there too, and I hope you will come say hello and meet just a sample of the talented Cisco security professionals who will be on site.
See you there!