There are a lot of common activities that security professionals will often associate with enabling a successful security program, but which ones actually work? That's a question that was answered in a keynote session on May 20 at the 2021 RSA Conference.
Wendy Nather, head of advisory CISOs at Cisco, worked together with Wade Baker, partner and co-founder and professor at Cyentia Institute and Virginia Tech, to conduct a survey and the associated Cisco 2021 Security Outcomes Study. Nather explained that the report looked at 25 different common security practices grouped under three top-level categories: Business & Governance, Strategy & Spending, and Architecture & Operations.
"We wanted to find out, does anything matter in security?" Nather said.
What Makes a Successful Security Program
The good news, according to Baker, is that most common security practices do in fact lead to some kind of positive outcome, though some are more successful than others.
"What we do in security matters. There is good evidence here that these standard practices, all of which by the way are pretty general, do actually achieve the outcomes that people tell us that they want to achieve," Baker said.
Nather said that, in particular, there were five common practices that were the most connected to an organization's having a successful outcome:
- Proactive tech refresh
- Well-integrated tech
- Timely incident response
- Prompt disaster recovery
- Accurate threat detection
What we do in security matters. There is good evidence here that these standard practices . . . do actually achieve the outcomes that people tell us that they want to achieve.Wade Baker
Nather observed that while the top two common practices are technology related, in that organizations might need to acquire and adopt technology, the other three are more about people and process. She noted that timely incident response, prompt disaster recovery and accurate threat detection are all activities that occur after a security incident occurs.
Baker added that while protection-related activities are still needed, they ranked toward the bottom of the list in terms of being correlated to enabling better outcomes for a security program.
"We do not see this as saying that protection isn't important," Baker said. "We see this as more indicative of the fact that we need to build more diverse programs."
Baker commented that for a long time in security the focus was largely on protection, but now detection, response and recovery are at least equally important. The data from the survey, he noted, is good evidence that things other than protection are critical to security program success.
The Least Correlated Practices for Successful Outcomes
The bottom five practices out of the 25 evaluated according to the study include:
- Identify top cyber risks (spot 21)
- Secure development approach (spot 22)
- Someone owns compliance (spot 23)
- Understand security and business (spot 24)
- Security measures reviewed (spot 25)
Baker emphasized that while the bottom five practices weren't as strongly correlated to having a positive security outcome, they are still important to consider. There is also some nuance across the list in that different issues can impact an organization in a specific industry or of a certain size.
"The things that matter most in security change based on an organization's size, the industry, and the geography that that organization is in," Baker said. "We saw a lot of variation across these things, so just because something is number one overall doesn't mean it's going to be number one for you."