- Cisco surveyed more than 4,800 organizations to determine which security practices were most effective.
- Rapid incident response and keeping technology up to date were two practices that correlated with success.
- Meanwhile, practices such as reviewing security measures and identifying key risks made less difference.
- See more stories on the Insider business page.
Cybersecurity and IT teams are chronically overloaded, with the task of protecting themselves from hackers, recruiting from a sparse group of talent, and keeping companies ’technology infrastructure up to date.
According to a study released by Cisco this week, some of the tasks these computers do may be more effective than others. The paper surveyed more than 4,800 security professionals from more than 25 countries about their methods and the status of their business, producing a list of more statistically effective practices.
The survey did not ask CISOs to draw conclusions about practices they believe work best. Rather, he surveyed respondents about which of the 25 security tasks he prioritized the most and his success rate in 11 different outcomes, such as avoiding major hackers, gaining the trust of executives, and running units profitably. . He then used this data to find correlations across the industry.
“I don’t like going to classmates and saying, ‘What are you doing safely,’ and what if your classmates aren’t good at safety?” Wendy Nather, Cisco’s chief CISOs advisor and one of the study’s authors, said during a presentation at the RSA security conference on Thursday. “We want to know what really works.”
Cisco itself licenses enterprise security software that helps detect activity on its networks to protect itself against hackers; the company is in the process of strengthening its security business.
Nather acknowledged that Cisco could have a “suspiciously convenient” stake in recommending security practices to companies, but said the firm did not influence the results of the study and noted that the study went be co-authored by Wade Baker, co-founder of the independent research firm Cyentia Institute. and professor at Virginia Tech. YouGov conducted the survey itself and did not inform respondents that Cisco funded the survey.
Of the 25 safety practices investigated by the researchers, they found that 23 correlated with an improvement of at least one outcome, but some had a much stronger correlation than others.
Keeping technology up to date and responding quickly to hacks were one of the most effective practices
Among respondents, a security practice more strongly correlated with good results: regularly refreshing software. IT teams that prioritized this were 11-15% more likely to report successful security programs, while respondents who said their companies only upgrade their IT infrastructure after they have -some error occurred they had significantly worse results.
Wade Baker, co-founder of the Cyentia Institute and professor of Virginia Tech
The researchers found that the second most effective practice is to have well-integrated technology, that is, security software that works effectively together.
Beyond the importance of integrated and up-to-date technology, the study found that three other closely related practices were among the most effective when security teams prioritized: rapid response to security incidents, rapid disaster recovery, and accurate detection. of threats.
“We will not achieve success in security just by buying good technology or hiring good people, the data suggests that these things should work together,” Baker said during the RSA presentation.
Researchers also asked respondents whether they felt their security budget was sufficient, but found that the size of the budget did not correlate with overall success, suggesting that throwing money at the problem is not enough to improve security. ‘a company.
The researchers were surprised by the practices that did not correlate with satisfactory results
The study found that some safety practices offer little or no correlation with good results. These include establishing a routine review of security measures, hiring an employee in charge of complying with cybersecurity laws, and identifying the “major cyber risks” that could lead to an attack.
“If you put these [practices] in front of me, none of them would say it’s not important, “Baker said.” But according to the data, some of these did not correlate with any of the results we measured. “
A table showing the correlation between respondents ’safety practices and satisfactory outcomes.
One caveat is that respondents ’responses varied depending on size, location, and industry, Baker added, noting that“ just because it’s the number one overall doesn’t mean it’s the number one for you. “. For example, the identification of major cyber risks did not significantly improve the overall survey respondents ’results, but only among the largest business respondents did the practice improve success by an average of 7%.
“Larger organizations have more threats and it becomes more important to know what they are defending against,” Baker said. “All we tell you is a kind of change depending on who you are.”
Read the full report here.