Achieving effective security in uncertain times
Now that 2020 is behind us and we’re firmly planted in 2021, many security practitioners may be asking, “What’s next?” Last year pushed security teams to their limits as they had to frantically provision for remote working, protect employees from Covid-related phishing scams, and keep businesses secure amidst constant social and political unrest.
While we can assume (and hope) that this year will bring more stability, change is the only constant, and there will always be some level of uncertainty. On top of that, the economic impact of the pandemic has left many security teams with additional budgetary pressures.
According to Cisco’s Head of Advisory CISOs, Wendy Nather, “After the scramble and confusion of 2020, organizations will opt for a period of quiet in the security realm. CISOs will simply try to hold on to what they have.”
With this reality in mind, how should security teams proceed now that we’re in the new year? Below are some recommendations for maintaining effective security during challenging times, based on our recent 2021 Security Outcomes Study and further insight from Wendy Nather. Even in light of everything else going on, it’s important that organizations continue to strive for simplified, cloud-based security backed by solid threat intelligence.
Getting back to the basics
“This year, rather than expanding into shiny, exciting new cybersecurity technologies, organizations will go back and focus on the critical fundamentals, such as asset inventory, monitoring, and rethinking vulnerability management,” said Wendy Nather.
The importance of going back to the basics was also supported by our 2021 Security Outcomes Study. The study analyzed which of the functions in the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) had the greatest impact on security program success. Researchers were surprised to find that the “Identify” function had the greatest impact, increasing organizations’ chances of achieving security success by an average of nearly 11%.
This finding confirms that the basics matter, and that now may be the perfect time to work on them. After all, you can’t really secure what you don’t know you have – so identifying assets is a critical first step to protecting them, and one that shouldn’t require a lot of new tools.
“Identifying what you have is just one part of this important exercise,” said Wendy. “You also need to keep track of your assets all the time and detect changes to your infrastructure.” Many products in the Cisco Secure portfolio are designed to provide the in-depth visibility needed for this crucial component of security.
Unifying and simplifying security
Over the years, organizations have become accustomed to buying a new, standalone technology to combat every rising security threat. This has resulted in too many products for security teams to manage effectively. “As organizations recover from the volatility of 2020, they will be looking to trim portfolios even more aggressively and combine more features into united platforms,” said Wendy Nather.
And according to Cisco CISO Mike Hanley, “Security buyers often have dozens of different tools from multiple vendors, and generally have to use a fair amount of duct tape to get them to work together. This creates complexity, cost, and overhead.”
At Cisco we have been talking about the benefits of an integrated security platform for years, culminating in the 2020 launch of Cisco SecureX. SecureX is not a new product that you have to buy. Rather, it is embedded within each of our security products so that customers can benefit from it whether they have one or many Cisco Secure technologies.
The cloud-native platform also makes it easy for customers to start only with what they need and add on new technologies and functionality down the line. SecureX integrates not only Cisco, but many third-party capabilities, to enhance visibility, collaboration, and automation.
By connecting and streamlining key security functions and threat intelligence, organizations can save time, resources, and yes, even budget, all the while improving their ability to detect and respond to threats. “[SecureX] simplifies the review, research, and impact analysis of security events and frees our team up to work on other security initiatives,” said Craig Behr, Senior Vice President at Citynet.
The Cisco 2021 Security Outcomes Study also highlighted the benefits of an integrated security platform. Many features of SecureX, including integration, automation, and collaboration, were shown in the report to significantly improve organizations’ security programs.
Getting serious about zero trust
Despite potentially reduced budgets, one thing that shouldn’t go away is a dedication to zero trust. The events of 2020 drove home the fact that no organization is ever really impervious to attack, and that attacks can come from all angles and access points – especially now that so many workers are outside the confines of the corporate network.
“The rush to secure remote working has driven nearly every organization into the zero trust pool,” said Wendy Nather. “It remains to be seen how many of them will head for the deep end as soon as it becomes apparent that ‘any user, any device, any application, any place’ is here to stay in 2021.”
At its basic level, zero trust is a comprehensive approach to securing all access across your applications and environment, from any user, device, and location. It’s about verifying the validity of every access request no matter where, who, or what it comes from, and providing only the required access. This should be something every organization remains focused on even in the middle of other challenges.
Based on our 2021 Security Outcomes Study, many organizations are on the right track when it comes to zero trust. The study revealed that 39 percent of respondents are fully embracing zero trust in their organizations, while another 39 percent are moving towards the model – indicating that the majority of security professionals have it squarely on their radar.
A zero trust strategy goes hand-in-hand with some of the back-to-basics objectives discussed earlier, such as identifying and keeping track of network assets and their behaviors. Organizations should be able to make progress on many aspects of zero trust even without generous security budgets.
Go forth and protect
Every organization is different, with its own unique resources, pressures, and risk factors. But these are just a few things we recommend focusing on to achieve strong security during this “quiet period.” Here’s to a secure (and hopefully more stable) remainder of the year!
For further insight: