Building Security Resilience: Top Leaders Share Real-World Best Practices
Share with Your Network
Organizations are quickly realizing future success and longevity hinge on security resilience and the ability to navigate uncertain threats and change with confidence—no small feat thanks to global connectivity, expanding attack surfaces, and endless endpoints. Now more than ever, boundaries are disappearing and everyone is a vulnerability.
This realization also comes at a time of mounting threats. Last year alone, 20,130 CVEs were published, vastly outnumbering any year prior. And security leaders are feeling the effects of this surge. The research captured in the latest volume of Prioritization to Prediction shows that 95% of all assets contain at least one highly exploitable vulnerability (yes, you read that right. Industry standards are evolving to address this rise in risk by shifting to a risk-based approach. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a call for organizations to focus their remediation resources on active exploits.
To meet these recommendations and build security resilience, organizations are embracing risk-based prioritization technology and enhanced threat and vulnerability management intelligence.
What security resilience looks like in the wild
When examining agile companies can prove their resilience in the wild, common threads begin to emerge. Cisco Secure gathered top-performing security leaders to discuss their approach to security resilience; the takeaways are compiled in a recently published e-book, Building Security Resilience: Stories and Advice from Cybersecurity Leaders.
It contains a wealth of knowledge and real-world insight, so we encourage you to explore the e-book to learn what it takes to build a foundation of security resilience in your own organization. This blog highlights a handful of themes that run through many of these testimonies.
Here’s what some top security leaders said about building security resilience
Know your risks. Before overhauling any security operations or organizational approach, it’s important to take inventory of your threat landscape and potential points of weakness. Martin Lee, Strategic Planning and Communications Lead for Cisco’s EMEA explains, “The first step in becoming resilient is to be aware of threats we face. You can’t take steps to protect yourself if you have no idea of the nature of these threats. The foundation of successful resilience comes from understanding the threats and your own weaknesses.”
And looking outside of your own organization is critical stresses Liz Waddell, an Incident Response Practice Lead with Cisco Talos. “It’s also important to have situational awareness of the world. Events happening in the news, while perhaps not directly cyber-related, will have an impact on what you’re protecting against.”
Take a risk-based approach. Finite resources and growing threats demand thoughtful and strategic decisions. “There’s a lot to protect, and with limited moves, we need to be very calculated,” says Corien Vermaak, a Cisco Cybersecurity Architect. “And that’s why we’re seeing a big move towards risk-based security.”
Understanding your organization’s definition of an appetite for risk helps surface true threats and the most effective action needed. “Resilience is about taking a risk-based approach to what the business can tolerate,” points out Goher Mohammad, Head of InfoSec at L&Q Group. “Together with the CIO, and/or the board, security leaders as the subject matter experts should clearly steer and articulate the risks; and what to do about them — enabling the organization to weigh up the correct decision.”
Because managing risk isn’t just about the cost of a data breach, explains Mohammad. “It’s also about reputation and the long-term effect a data breach might cause. All things should be considered, then try to reach a decision about what you can tolerate (and what you can’t tolerate) as an organization.”
Communication is key. While this seems like a no-brainer, security priorities are too often contained within the Security department. Yet establishing security resilience is a true company-wide effort whose success hinges on the variety of voices and insight invested. The Accidental CISO (whose real identity remains a mystery) advises that “First and foremost, people and relationships are key to information sharing when it comes to anticipating threats to operational resilience. Other groups in the organization know their areas better than my team ever will. They also know what the business impact will be.”
Ensuring stakeholders and leaders outside of the security sphere are active participants in evolving security resilience is key. As information security pundit Lidia Giuliano notes, “One of the most effective ways to achieve resilience in any organization is to take a team approach, even if it is an informal team — a collaborative environment, rather than an established corporate grouping. This is important because a person is never alone in this endeavor.”
Now comes the hardest part of cross-departmental communication and collaboration—making it simple and actionable. But it’s arguably the most important part. CEO of PrivacyCode, Inc., Michelle Dennedy, believes, “In a world with constant change and growing complexity, clearly communicated and granular-level leadership creates and reinforces resilience. I am always seeking simple and easy-to-engage steps to solve monumental challenges.”
Invest in your people (and teams). Cybersecurity burnout is an ongoing challenge contributing to talent shortages and high turnover. Protecting and supporting security professionals should be a top priority for organizations wanting to boost longevity and resilience. “The most important thing is to invest in your people — protect their mental health, first and foremost,” says Waddell. “Security is an industry notorious for people being overworked and burned out. Make sure you have the right people in the right places. Invest in their training so they know your environment and technology and are ready to respond and protect it.”
Security doesn’t work without healthy humans at the helm. That’s why Cisco published Creating Safe Spaces: Leaders and Practitioners on Mental Health and Avoiding Burnout, a helpful e-book highlighting how to maintain a healthy and happy work environment.
The unknown is inevitable—resilience is not
Savvy security leaders recognize that we’ve entered an era of unknown threats and change and that future-proofing their security means future-proofing their organization. “Resilience is far bigger than just security, but of course, security is such a key part,” advises Vermaak. “Security is like the king piece on the resilience chessboard.”
Because Malik reminds us that events will occur. “Threats exist and incidents happen. Resilience is achieved when both the likelihood of an incident occurring is reduced, and the impact caused is minimized.”
And when those events unfold, it’s the ability to face these events with confidence that sets apart the truly resilient from the resistant. Lee affirms, “Resilience means being able to manage the threats that we face, and not immediately crumbling when a threat succeeds in causing harm.”
These experts recognize now is the time to embrace the unknown and evolve to meet it. They know the alternative to security resilience—crumbling when a threat succeeds—is not a recipe for business success.
For deeper insight into building a foundation of security resilience and to learn how a leading global oil company evolved its security strategy, explore Building Security Resilience: Stories and Advice from Cybersecurity Leaders.
Also, watch the on-demand replay of How Improving Security Resilience Reduces Business Risk to hear Ed Bellis, CTO, and Co-founder at Kenna Security at Cisco, and Liz Waddell, Global Practice Lead, Cisco Talos Incident Response, break down what security resilience is and how to achieve it.