CyberWire Daily - Implementing and achieving security resilience. [Research Saturday]
Episode Date: February 18, 2023Wendy Nather from Cisco sits down with Dave to discuss their work on "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report." The report describes what secur...ity resilience is, while also going over how companies can achieve this resilience. Wendy talks through some of the key findings based off of the report, and after surveying 4,751 active information security and privacy professionals from 26 countries, we find out some of the top priorities to achieving security resilience. From there the research goes on to explain from the findings which data-backed practices lead to the outcomes that can be implemented in cybersecurity strategies. The research can be found here: Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report Achieving Security Resilience Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
What we started doing a couple of years ago is examining not just what everyone is doing,
because there are plenty of benchmark reports out there.
But what I really wanted to find out is what appears to work in security.
And that's hard to track down.
That's Wendy Nather.
She's head of advisory CISOs at Cisco. The research we're discussing today is titled Cracking the Code to Security Resilience, Lessons from the
latest Cisco Security Outcomes Report. But thanks to the work that we have been doing with the Scientia Institute and some pretty rigorous data analysis,
we think we're getting closer to some answers on what appears to correlate between certain types of practices and the outcomes that we want in a security program.
want in a security program. I have to say that that is what really caught my eye and prompted me to reach out to you is that this report, unlike a lot of others, really is all about
outcomes and what actually works. And to me, that's kind of a breath of fresh air.
Yeah. I mean, I hate to promise too much in the report to say, if you do this, this will absolutely work. But after surveying really large numbers of organizations around the world and doing the analysis and trying to correlate practices and outcomes, we can at least say with a certain amount of confidence that if you are strong in a particular
practice, then the chances are very high that you will also report being strong in this outcome.
And that's, I think, lays it out. Well, let's go through it together here. I mean,
what are some of the things that really rose to the top for you that caught your eye?
Well, this year we decided to look at resilience.
And the first challenge for us was to figure out what resilience actually means to people.
Because if you go around asking folks, there's actually quite a lot of difference in how people
define what resilience is. Some people, myself included, tend to think of resilience as
things that happen and that you do after the bad event happens, you know, to the right of boom,
as some people describe it. But when we went out and surveyed all these practitioners,
we found that a lot of them defined resilience as preventing major security incidents and losses.
So kind of, you know, the best outcome for resilience is not having those incidents to
begin with. And that may be fair. It's not the way I would think of it, but you can't argue with
what our respondents replied. Yeah, that's a really interesting point. And I think,
I wonder if that's something that you find throughout cybersecurity, that sometimes
in some of these conversations, kind of getting to ground truth on how things are defined
can be a stumbling block itself. Absolutely. And so we went through and collected a list of outcomes
that practitioners said they associated with resilience. And then we looked at and surveyed
them on practices and tried to see what appeared to correlate with these outcomes. And we found
all sorts of things that appeared to correlate strongly, but some of the most important things
and the most interesting results that I found or that we found included things like the strength
of having the support of management. Having executive support really had a strong effect on whether they were going to be able to,
you know, report that they had, you know, good resilience outcomes. There's a 39% increase,
for example, in your chances of reporting, you know, strong security resilience if you have
executive support. And that may sound obvious to everybody, but the interesting thing is we now have the
numbers to say just how much of a difference it makes. So it may not matter as much where you
report in as a CISO as long as you do have that executive support. Well, I feel almost ironic in
asking this, but what do we mean by executive support? Is that financial? Is that moral support, cheerleading, or a little of everything?
Probably is a little bit of everything.
We don't go into detail asking specifically what form that takes, but that's something
we really should be looking at in future research.
Another one, a really, really big one, 46% is the number that we're looking at for a culture of security.
That is, if there's a 46% difference in average resilience scores between organizations with poor versus excellent security culture.
excellent security culture. And in this case, security culture doesn't just mean the annual security awareness program tests or videos that people have to look at. The culture is what you
decide to emphasize and incentivize every day among all of the employees in your organization and among your partners and your
customers and your stakeholders. So if you think about it that way, that culture is what everyone
decides to do and the actions and the decisions that they take every day, you can see how it would
have such a strong effect on resilience. One of the things that caught my eye was talking about staffing and the number of people you have.
And you all pointed out that it doesn't seem to matter how many people you have.
It's that you have to have enough people to be in reserve.
So when things go bad, they are in a position to respond.
Exactly.
Exactly.
position to respond. Exactly, exactly. Your chances of having higher resilience are about 15% higher if you have some amount of staff, either internal or external, in reserve. And from one side,
that sounds kind of ridiculous. I mean, who has spare people sitting around? You usually don't.
You're, you know, maxing out. Everybody's working as hard as
they can. But on the other hand, if you have an incident and your people are already stretched
very thin and they're exhausted, having, you know, somebody who can step up, who's fresh,
who can help make the decisions and take the actions sometimes very quickly that you need
during an incident really does improve your resilience. the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context, Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Now, it's a really interesting point. It makes me think about, you know, your neighborhood
fire department who, you know, spend most of their time sitting at the firehouse doing nothing.
But, boy, when you need them, you're glad they're there.
Yeah, yeah, exactly.
And it may be easier to get external people on retainer, for example, and bring them in.
But as we found with some of our research last year, if you have outsourced incident response people,
some of the metrics that we tend to like to
look at, like mean time to respond, tend to increase when you have external people.
Things slow down a little bit because those external people may not know everything that
they need to know and they need to coordinate with your internal people.
So there's a trade-off.
You may have more people in reserve outside the organization, but when you bring them
in, it may slow things down. It doesn't mean you won't be resilient, but there are other
performance factors that you need to think about. I'm curious if the report uncovered any
misperceptions. Are there things that people think require a lot of attention, but in the end
don't really tend to have much impact? Well, there's a lot of attention, but in the end don't really tend to have much impact?
Well, you know, there's a lot of discussion and confusion around things like cloud adoption.
And a lot of people tend to believe that everything is going to be better in the cloud
or things are going to be safer in the cloud. One thing that we did find out is that asking respondents about and checking
and calculating their resilience scores, they seem to be pretty much the same if you were entirely
on-premises or if you had your infrastructure entirely in the cloud. They seem to be pretty
equal. So you could be equally resilient in either case. Where the resilience started dropping off was when you were in a hybrid situation. And those who said that they were in a hybrid infrastructure and things were hard for them, obviously their resilience scored dropped down some.
their resilience score dropped down some. So I think the lesson we take from this is when you're trying to work out resilience for two different environments in a hybrid situation, both on
premises and in the cloud, it's going to make resilience more complicated than if you're just
in one or in the other. Were there any common elements when you look at organizations that are
being successfully resilient? Are there things that they share that they have in common with
each other? Oh, yes. I mean, we did identify seven practices that most often tend to lead to those
higher resilience scores. What I think I'll do, Dave, is bring up an interesting graphic
that we did not include in the report, but that we did include, I did include in my blog,
in which the one that is titled Cracking the Code to Security Resilience. We looked at the NIST cybersecurity framework and analyzed it and asked questions
about the practices in that cybersecurity framework to see which ones looked like they
correlated the most with those resilience outcomes. And we have the chart that's at the bottom of that blog post where you can look and see that,
for example, having key systems and data being tracked and making sure they have security
requirements has the highest correlation or one of the highest correlations with containing the spread or the scope of security incidents.
And again, that sounds kind of intuitively obvious. If you know what you have and you
have security requirements defined for everything that you have, then being able to contain the
spread or the scope makes a lot of sense. But again, the value here is being able to see in the analysis that it's significant by 10.6%.
That's, you know, it's an actual number. It's not just a feeling anymore.
I noticed in that chart that near the bottom was maintaining a cost-effective security program. Is it fair to say that, perhaps I'm oversimplifying it,
but that this is not an area where thriftiness pays off?
Actually, it's probably fair to say that, as you can see in that chart,
if you look around, there are a few of these practices
that don't seem to have any correlation
with maintaining a cost-effective security program.
So looking at the practice in the NIST CSF of threat detection capability provides awareness
of potential security events. Well, yes, awareness is very good, but does it actually lead to
maintaining a cost-effective security program? Probably not. They're probably not
very relevant to each other. The darker the squares in here, the more correlation we see.
And in some cases, as I just pointed out, we don't see a correlation at all. It doesn't mean
the practice is not valuable. It just means that if you're trying to correlate it with a particular
outcome, you might not see a correlation.
Ah, I understand.
So what are your recommendations then?
I mean, based on the information that you all have gathered here, what sort of things should people be putting in place?
What sort of procedures and practices and cultures work out best for folks?
Well, as I mentioned before, there are some things that actually don't necessarily cost any money.
And that is creating a widespread, well-implemented security culture among everybody who has access and is responsible for security outcomes in your systems.
And also making sure that you have executive support, those play a
big role. On the other side, we also found that architecture can play a big role in whether you
have a resilient environment. Trying to simplify your hybrid cloud environment is something that I would recommend. And of course, if you are working on any of the very
trendy security frameworks and practices that we see today, like zero trust as a framework,
or implementing extended detection and response capabilities, those are also going to improve your
resilience. Now, it's not necessarily clear whether simply
the act of implementing these more sophisticated and careful and granular approaches to security
in themselves boost your resilience or whether there's something magical in the architecture
that makes you more resilient. We would have to look at it more deeply to figure that out.
But we do see a certain level of correlation with those who are converging network and security
into a cloud-delivered secure access services edge. That boosted security resilience scores by 27%.
There are a lot of things that we would like to continue researching in the future.
And actually, I would love to hear some input from you as to what else we should be looking at.
Our thanks to Wendy Nather from Cisco for joining us.
The research is titled Cracking the Code to Security Resilience.
Lessons from the latest Cisco Security Outcomes Report.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Thank you. of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.