Network Security, Security Strategy, Plan, Budget

To achieve desired security outcomes, update and integrate your tech stack

SAN JOSE, CA – APRIL 17, 2001:  (FILE PHOTO)  The facade of a building on Cisco Systems’ sprawling complex  is shown April 17, 2001 in San Jose, California. Analysts expect Cisco Systems to post a 13 cents-per-share profit February 4, 2003 for the second quarter.  (Photo by Dan Krauss/Getty Images)

Embracing a proactive tech refresh strategy and the integration of technology are two the of most effective security practices that organizations can enact in order to achieve desired outcomes, according to a recently published research study from Cisco Systems and Cyentia Institute.

And while it’s not always economically feasible to keep one’s tech upgraded and integrated, there are strategies for better positioning your organization in this manner, noted Wendy Nather, head of advisory CISOs at Cisco, speaking at the 2021 RSA Conference this week.

For the “Security Outcomes Study,” researchers surveyed more than 4,800 IT, security and privacy professionals regarding how successfully they believe their companies implemented 25 key security practices, and to what degree they have achieved 11 desired business, management and operational outcomes. The researchers then used data analysis to look for patterns and find any common correlations between certain practices and outcomes.

“According to these statistics, the organizations wanting to maximize their overall success of their security program should ideally start with a modern well integrated tech stack,” concluded Nather. Or, as the report itself puts it: “A proactive, best-of-breed tech refresh strategy allows you to keep up with business growth,” while “a well-integrated tech stack improves recruitment and retention of security talent.”

Indeed, organizations that believed they had a strong proactive tech refresh practices were found to be 8.9% more likely than other organizations to report they were successfully keeping up with the business, 8.3% percent more likely to say that they were meeting compliance regulations and 8% more likely to opine that they were running cost-effective operations.

Organizations inspired by such data might want to upgrade to the best available hardware and software, but not everyone has the budget or flexibility to do that, noted Nather. “But another option you could try is migrating to SaaS and cloud-based services, because at least your provider is responsible for updating that part of your tech stack, so… you don't have to try to do it inside of your organization," she stated.

Another option: looking for tech vendors that practice security by design. “The good thing about security technology is as it's been evolving, a lot of these technologies are getting more security built in,” Nather continued. “We're seeing that more and more with operating systems and so on.”

Or, organizations that want to be on the “bleeding, cutting edge” could also considering adopting the DIE (distributed, immutable, ephemeral) resiliency framework to see “if ephemerality will help you with updating and upgrading,” Nather added.

Rounding out the five practices that generated the most successful outcomes were timely incident response, prompt disaster recovery and accurate threat detection. “These are all after the breach happens. These practices are good things for you to be practicing in terms of your process and your people anyway,” said Nather.

Out of the 275 possible practice-outcome combinations illustrated in the study, 45 percent were found to have a significant correlation. Moreover, 23 of the 25 security practices “were linked to improving the chance of success in at least one outcome,” said Nather’s co-presenter Wade Baker, partner and co-founder at Cyentia Institute. “I'm glad for that. There's not a lot we're doing that’s just ineffective and not accomplishing anything at all.”

Also, 11 of the 25 outcomes were found to have a positive correlation with at least nine separate practices – meaning there are potentially numerous paths to achieving these particular objectives.

As for which security practices offer the “biggest bang for the buck” – something a lot of organizations are able to accomplish that also yields great results – “I’ve got some bad news,” said Nather. Unfortunately, “there just isn't anything that's so magical that everybody said that they could do it, [while also offering a] very high probability of giving you success in your outcomes across the board. If there were, we'd probably already be doing it.”

The full list of practices and outcomes can be found in the grid below.

Graphed correlations between security practices and desired outcomes. (Cisco 2021 Security Outcomes Study)
Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.