Implementing and achieving security resilience.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Wendy Nather: What we started doing a couple of years ago is examining not just what everyone is doing, because there are plenty of benchmark reports out there, but what I really wanted to find out is what appears to work in security, and that's hard to track down.
Dave Bittner: That's Wendy Nather. She's head of advisory CISOs at Cisco. The research we're discussing today is titled "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report."
Wendy Nather: But thanks to the work that we have been doing with the Cyentia Institute and some pretty rigorous data analysis, we think we're getting closer to some answers on what appears to correlate between certain types of practices and the outcomes that we want in a security program.
Dave Bittner: I have to say that that is what really caught my eye and prompted me to reach out to you is that this report, unlike a lot of others, really is all about outcomes and what actually works. And, to me, that's kind of a breath of fresh air.
Wendy Nather: Yeah. I mean, I hate to promise too much in the report, to say, if you do this, this will absolutely work. But after surveying really large numbers of organizations around the world and doing the analysis and trying to correlate practices and outcomes, we can at least say with a certain amount of confidence that if you are strong in a particular practice, then the chances are very high that you will also report being strong in this outcome. And that's, I think, lays it out.
Dave Bittner: Well, let's go through it together here. I mean, what are some of the things that really rose to the top for you, that caught your eye?
Wendy Nather: Well, this year, we decided to look at resilience. And the first challenge for us was to figure out what resilience actually means to people. Because if you go around asking folks, there's actually quite a lot of difference in how people define what resilience is. Some people, myself included, tend to think of resilience as things that happen and that you do after the bad event happens, you know, to the right of boom, as some people describe it. But when we went out and surveyed all these practitioners, we found that a lot of them defined resilience as preventing major security incidents and losses. So kind of, you know, the best outcome for resilience is not having those incidents to begin with. And that may be fair. It's not the way I would think of it. But you can't argue with what our respondents replied.
Dave Bittner: Yeah. That's a really interesting point. And I think - I wonder if that's something that you find throughout cybersecurity, that sometimes, you know, in some of these conversations, kind of getting to ground truth on how things are defined can be a stumbling block itself.
Wendy Nather: Absolutely. And so we went through and collected a list of outcomes that practitioners said they associated with resilience. And then we looked at and surveyed them on practices and tried to see what appeared to correlate with these outcomes. And we found all sorts of things that appeared to correlate strongly. But the most - some of the most important things and the most interesting results that I found or that we found included things like the strength of having the support of management. Having executive support really had a strong effect on whether they were going to be able to, you know, report that they had, you know, good resilience outcomes. There's a 39% increase, for example, in your chances of reporting, you know, strong security resilience if you have executive support. And that may sound obvious to everybody, but the interesting thing is we now have the numbers to say just how much of a difference it makes. So it may not matter as much where you report in as a CISO, it - as long as you do have that executive support.
Dave Bittner: Well, I feel almost ironic in asking this, but what do we mean by executive support? Is that financial? Is that moral support, cheerleading or a little of everything?
Wendy Nather: Probably is a little bit of everything. We don't go into detail, asking specifically what form that takes, but that's something we really should be looking at in future research.
Wendy Nather: Another one, a really, really big one - 46% is the number that we're looking at for a culture of security. That is, if - there's a 46% difference in average resilience scores between organizations with poor versus excellent security culture. And this - in this case, security culture doesn't just mean, you know, the annual security awareness program, tests or videos that people have to look at. It's - the culture is what you decide to emphasize and incentivize every day among all of the employees in your organization and among your partners and your customers and your stakeholders. So if you think about it that way, that culture is what everyone decides to do and the actions and the decisions that they take every day, you can see how it would have such a strong effect on resilience.
Dave Bittner: You know, one of the things that caught my eye was talking about staffing and the number of people you have. And you all pointed out that it doesn't seem to matter how many people you have. It's that you have to have enough people to be in reserve so when things go bad, they are in a position to respond.
Wendy Nather: Exactly. Exactly. Your chances of having higher resilience are about 15% higher if you have some amount of staff, either internal or external, in reserve. And from one side, that sounds kind of ridiculous. I mean, who has spare people sitting around? You usually don't. You're, you know, maxing out. Everybody's working as hard as they can. But on the other hand, if you have an incident, and your people are already stretched very thin, and they're exhausted, having, you know, somebody who can step up who's fresh, who can help make the decisions and take the actions sometimes very quickly that you need during an incident really does improve your resilience.
Dave Bittner: Now, it's a really interesting point. It makes me think about, you know, your neighborhood fire department, who, you know, spend most of their time sitting at the firehouse doing nothing. But, boy, when you need them, you're glad they're there.
Wendy Nather: Yeah. Yeah, exactly. And it may be easier to get external people on retainer, for example, and bring them in. But as we found with some of our research last year, if you have outsourced incident response people, some of the metrics that we tend to like to look at, like mean time to respond, tend to increase when you have external people. Things slow down a little bit because those external people may not know everything that they need to know, and they need to coordinate with your internal people.
Wendy Nather: So there's a tradeoff. You may have more people in reserve outside the organization, but when you bring them in, it may slow things down. It doesn't mean you won't be resilient. But, you know, there are other performance factors that you need to think about.
Dave Bittner: I'm curious if the report uncovered any misperceptions, or are there things that that people think require a lot of attention, but in the end don't really tend to have much impact?
Wendy Nather: Well, you know, there's a lot of discussion and confusion around things like cloud adoption. And a lot of people tend to believe that everything is going to be better in the cloud or things are going to be safer in the cloud. One thing that we did find out is that asking respondents about and checking and calculating their resilience scores, they seem to be pretty much the same if you were entirely on premises or if you had your infrastructure entirely in the cloud. They seem to be pretty equal. So you could be equally resilient in either case.
Wendy Nather: Where the resilience started dropping off was when you were in a hybrid situation. And those who said that they were in a hybrid infrastructure and things were hard for them, obviously their resilience scored dropped down some. So I think the lesson we take from this is when you are trying to work out resilience for two different environments in a hybrid situation, both on premises and in the cloud, it's going to make resilience more complicated than if you're just in one or in the other.
Dave Bittner: Were there any common elements - when you look at organizations that are being successfully resilient, are there things that that they share, that they have in common with each other?
Wendy Nather: Oh, yes. I mean, we did identify seven practices that most often tend to lead to those higher resilience scores. What I think I'll do, Dave, is bring up an interesting graphic that we did not include in the report, but that we did include - I did include in my blog in which - the one that is titled Cracking the Code to Security Resilience. We looked at the NIST cybersecurity framework and analyzed it and asked questions about the practices in that cybersecurity framework to see which ones looked like they correlated the most with those resilience outcomes.
Wendy Nather: And we have the chart that's at the bottom of that blog post, where you can look and see that, for example, having key systems and data being tracked and making sure they have security requirements is the - has the highest correlation, or one of the highest correlations, with containing the spread or the scope of security incidents. And again, that sounds, you know, kind of intuitively obvious. If you know what you have and you have security requirements defined for everything that you have, then being able to contain the spread or the scope makes a lot of sense. But again, the value here is being able to see in the analysis that it's significant by 10.6%, that that's you know - it's an actual number. It's not just a feeling anymore.
Dave Bittner: I noticed in that chart that near the bottom was maintaining a cost-effective security program. Is it fair to say that - perhaps I'm oversimplifying it - but that this is not an area where thriftiness pays off?
Wendy Nather: Actually, it's probably fair to say that - as you can see in that chart, if you look around, there are a few of these practices that don't seem to have any correlation with maintaining a cost-effective security program. So looking at the practice in the NIST CSF of, threat detection capability provides awareness of potential security events, well, yes, awareness is very good, but does it actually lead to maintaining a cost-effective security program? Probably not. You know, they're probably not very relevant to each other. The darker the squares in here, the more correlation we see. And in some cases, as I just pointed out, we don't see a correlation at all. It doesn't mean the practice is not valuable. It just means that if you're trying to correlate it with a particular outcome, you might not see a correlation.
Dave Bittner: Ah, I understand. So what are your recommendations then? I mean, based on the information that you all have gathered here, what sort of things should people be putting in place? What sort of procedures and practices and cultures work out best for folks?
Wendy Nather: Well, as I mentioned before, there are some things that actually don't necessarily cost any money. And that is, you know, creating a widespread, well-implemented security culture among everybody who has access and is responsible for security outcomes in your systems and also making sure that you have executive support. Those play a big role. On the other side, we also found that architecture can play a big role in whether you have a resilient environment. Trying to simplify your hybrid cloud environment is something that I would recommend. And of course, if you are working on any of the very trendy security frameworks and practices that we see today, like zero trust as a framework or implementing extended detection and response capabilities, those are also going to improve your resilience.
Wendy Nather: Now, it's not necessarily clear whether simply the act of implementing these more sophisticated and careful and granular approaches to security in themselves boost your resilience or whether there's something magical in the architecture that that makes you more resilient. We would have to look at it more deeply to figure that out. But we do see a certain level of correlation with those who are converging network and security into a cloud-delivered secure access services edge. That boosted security resilience scores by 27%. There are a lot of things that we would like to continue researching in the future. And actually, I would love to hear some input from you as to what else we should be looking at.
Dave Bittner: Our thanks to Wendy Nather from Cisco for joining us. The research is titled "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report." We'll have a link in the show notes.
Dave Bittner: The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.