Regardless of where your organization falls in relation to the security bottom line, here are some recommendations for solving the main challenges raised in this report.
1. Figure out what’s right for your organization
Organizations should take a close look at where their security spending is going. In this industry, there’s a lot of pressure to keep up with peers. “What is everyone else buying? Do I need that new technology?” Of course, it’s always good to keep an eye on the industry and evaluate what others are doing to increase their defenses. However, as we’ve confirmed in this report, security is never one-size-fits-all.
Before you go shopping for more technology, look at your expertise in relation to the security maturity pyramid in our capability section. As the old saying goes, “You can’t secure what you don’t know you have.” And a vulnerability scanner won’t help you if you can’t fix what it finds.
Knowing which threats are not just possible, but probable, will help you focus on the right priorities when you can’t cover everything. Consider conducting a cyber risk assessment either in house or via a third party to get you started on the right path.
2. Get more from your investments
An unfortunate trend over the years has been to always seek out the latest and greatest security products. This is good in theory for making sure you’re protected from constantly evolving threats. However, for many organizations, it’s created a complex mess of disjointed point products that are difficult – if not impossible – to manage. If you’re getting too many alerts from disparate technologies and have to spend all day going back and forth between different applications to figure out what’s going on in your environment, your security will suffer.
Steve Martino, SVP/CISO, Cisco
Instead, it’s time to invest in security technologies that work for you – instead of the other way around. Cisco takes a platform approach to security – meaning, we don’t just sell firewalls or email security or anti-malware technology. We provide an open and broad portfolio of security technologies that all work together to defend your network. If a threat is found in one area, we give you the ability to automatically block it everywhere else. Automation and integration can go a long way in minimizing complexity and making sure you get the most out of your security technologies and personnel. And when it comes to your vendors, be sure to take advantage of everything they offer – a lot of it for little to no cost. Attend those free webinars. Call on technical support. Attend vendor events. Join those customer advisory groups. Participate in vendor trainings. By all means, if you’ve invested in technology, your security staff should know how to use it effectively.
3. Adopt a zero-trust approach to security
Today’s threats are coming at your organization from all angles. They are targeting users, applications, your network, the cloud, IoT devices, and the list goes on. This expanded attack surface makes it critical for organizations to take a zero-trust approach to security.
Zero trust requires organizations to:
Obtain visibility into all areas of the network
Adopt controls to ensure that only the right people, devices, and applications can operate in the organization’s environment
Have an effective means of blocking suspicious behaviors to prevent the spread of attacks
With these steps, organizations can more effectively protect their workforce, workload, and workplace.
By moving beyond basic security measures and taking a more layered, holistic approach to security, you can make it harder and more expensive for attackers to compromise your assets – which certainly helps your security bottom line!
4. Increase your training
Since many of our respondents are relying on outside sources for security expertise, it seems more training should be in order. Make sure that once you hire your talent, you continue to invest in their skills and understanding of your environment.
Allow them to attend conferences and workshops. Conduct internal training sessions. Encourage them to access free resources like the Cisco Security Blog and Cisco Talos threat intelligence page to stay up to date on the latest threats. Let them pursue more certifications. In short, make sure they’re not just simply doing their jobs, but are becoming true experts in the process — not just security experts, but experts in your business as well. A third party will never understand your particular security needs and constraints as well as your own people.
5. Consider outsourcing
If you’re running a bunch of old legacy systems, chances are your IT team is spending too much time managing and updating them, while getting ineffective security in return. Migrating from complex legacy systems to outsourced SaaS applications for well-known, non-core business functions such as email, office applications, payroll, and others can greatly help with security in those areas, so that you can concentrate on securing your core assets and processes. For security products that require more dedicated staff than you have available (due to cost), outsourcing the management of those technologies through an MSSP is an option as well. Realize that it’s sometimes best – and more cost-effective – to get help with security than to try to do everything on your own.
6. Join forces
As our section on influence indicated, there’s certainly power in numbers when it comes to security. If your organization is too small to assert influence over your suppliers, consider banding together with other organizations through professional networks or industry groups to build more clout. Being able to get timely bug fixes and updates from your vendors and partners is critical for effective security. And it is harder for them to say no to fifty small companies versus just one.
