Embracing a proactive tech refresh strategy and the integration of technology are two the of most effective security practices that organizations can enact in order to achieve desired outcomes, according to a recently published research study from Cisco Systems and Cyentia Institute.
And while it’s not always economically feasible to keep one’s tech upgraded and integrated, there are strategies for better positioning your organization in this manner, noted Wendy Nather, head of advisory CISOs at Cisco, speaking at the 2021 RSA Conference this week.
For the “Security Outcomes Study,” researchers surveyed more than 4,800 IT, security and privacy professionals regarding how successfully they believe their companies implemented 25 key security practices, and to what degree they have achieved 11 desired business, management and operational outcomes. The researchers then used data analysis to look for patterns and find any common correlations between certain practices and outcomes.
“According to these statistics, the organizations wanting to maximize their overall success of their security program should ideally start with a modern well integrated tech stack,” concluded Nather. Or, as the report itself puts it: “A proactive, best-of-breed tech refresh strategy allows you to keep up with business growth,” while “a well-integrated tech stack improves recruitment and retention of security talent.”
Indeed, organizations that believed they had a strong proactive tech refresh practices were found to be 8.9% more likely than other organizations to report they were successfully keeping up with the business, 8.3% percent more likely to say that they were meeting compliance regulations and 8% more likely to opine that they were running cost-effective operations.
Organizations inspired by such data might want to upgrade to the best available hardware and software, but not everyone has the budget or flexibility to do that, noted Nather. “But another option you could try is migrating to SaaS and cloud-based services, because at least your provider is responsible for updating that part of your tech stack, so… you don't have to try to do it inside of your organization," she stated.
Another option: looking for tech vendors that practice security by design. “The good thing about security technology is as it's been evolving, a lot of these technologies are getting more security built in,” Nather continued. “We're seeing that more and more with operating systems and so on.”
Or, organizations that want to be on the “bleeding, cutting edge” could also considering adopting the DIE (distributed, immutable, ephemeral) resiliency framework to see “if ephemerality will help you with updating and upgrading,” Nather added.
Rounding out the five practices that generated the most successful outcomes were timely incident response, prompt disaster recovery and accurate threat detection. “These are all after the breach happens. These practices are good things for you to be practicing in terms of your process and your people anyway,” said Nather.
Out of the 275 possible practice-outcome combinations illustrated in the study, 45 percent were found to have a significant correlation. Moreover, 23 of the 25 security practices “were linked to improving the chance of success in at least one outcome,” said Nather’s co-presenter Wade Baker, partner and co-founder at Cyentia Institute. “I'm glad for that. There's not a lot we're doing that’s just ineffective and not accomplishing anything at all.”
Also, 11 of the 25 outcomes were found to have a positive correlation with at least nine separate practices – meaning there are potentially numerous paths to achieving these particular objectives.
As for which security practices offer the “biggest bang for the buck” – something a lot of organizations are able to accomplish that also yields great results – “I’ve got some bad news,” said Nather. Unfortunately, “there just isn't anything that's so magical that everybody said that they could do it, [while also offering a] very high probability of giving you success in your outcomes across the board. If there were, we'd probably already be doing it.”
The full list of practices and outcomes can be found in the grid below.