Cisco Survey: You Can’t Fix… Security

You can’t fix stupid. Or apparently , according to ’s latest survey of Chief Information Security Officers (CISOs) and Security Operations executives polled at 1,700 companies.

That’s not what Cisco said, and they’re perfectly willing to sell you products and services to at least reduce security issues – just like every other security vendor out there – but it appears to be the key takeaway from their survey (and every other security survey I’ve seen for the last few years). How else can you explain that less than 50% of respondents use standard tools such as patching and configuration to help prevent security breaches and ensure that they are running the latest versions, BUT 90% are “confident” in their security efforts?

“Of course they’re going to be confident,” said Jason Brvenik, Principal Engineer, Cisco Security Group, “but times change”. The security environment has changed and security professionals and their masters must change too.

“The pursuit of perfection is a faulty one. You have to be successful 100% of the time; the attacker only has to be successful once.”

Cisco said attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity, so defenders, namely, security teams, must be constantly improving their approach to protect their organization from these increasingly sophisticated cyber attack campaigns. “Security needs an all hands on deck approach, where everybody contributes, from the board room to individual users,” stated Cisco’s John Stewart, SVP, Chief Security and Trust Officer. “It requires leadership, cooperation, and accountability like never seen before in our industry.”

It’s not your same-old security environment, said Brvenik. “The industrialization of hacking is in full effect.” He said the bad guys are organized, have quarterly targets and people managing them.

The user is the new target and the user exists at other places, not just at the asset you are protecting. Brvenik said the thought process has to shift from protecting the asset to protecting the user. “We’re attacking all of these different areas and pushing hard to put effective tools into the hands of users that support these different ends.”

Virtually every security survey reports that the situation is bad and getting worse. “After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, principal author of Verizon’s authoritative Data Breach Investigations Report series.

Former Cisco converged infrastructure/integrated systems/all-in-one BFF EMC reported in its December security survey that businesses lose over $1.7 trillion per year from data loss and downtime. According to the global study, data loss is up 400%, 64% of enterprises experienced data loss or downtime in the last 12 months and most say they remain unprepared in the new era of mobile, cloud and Big Data.

Security may be broken, but more money is being thrown at it, and senior executives appear to be finally taking notice that this is a problem that’s growing. For instance Infonetics Research reported last month that network security was getting a lot more love towards the end of 2014. “The network security appliance and software market is heading into the last quarter on something of a roll, though we look for quarterly revenue growth to slow by next year,” noted principal analyst Jeff Wilson.

A new Cloud Security Alliance (CSA) survey, Cloud Adoption, Practices and Priorities Survey Report, found that decisions concerning the security of data in the cloud has shifted from the IT room to the boardroom, with 61% of companies indicating that executives are now involved in such decisions. “As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the CSA.

In November security guru Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group blogged that information security is getting a lot more respect “now that business mucky-mucks read about data breaches in the Wall Street Journal on a daily basis…”

He said the top brass are now struggling to understand cyber risk and gain greater oversight of infosec strategies. They are also willingly increasing IT security budgets. According to ESG research, 62% of organizations planned to increase information security spending in 2014 and it’s likely that even more will do so next year (ESG Research Report, 2014 IT Spending Intentions Survey, February 2014).

At the end of December Gartner forecast the information security market would see a compound annual growth rate of 8.1% through 2018 as digital business initiatives, compliance requirements and increasingly complex targeted attacks continue to drive spending. IDC called 2014 “the year of security” but believes “it’s likely that 2015 will also be a year of security. Hopefully, the focus on security in 2015 will be about the good guys.”

Stopping breeches is never going to be 100%, said Brvenik. The key is how quickly can you recognize it and resolve it. “The time to resolution is the metric we should focus on.”

Security Manifesto

Cisco’s “Security Manifesto” is a set of security principles to help corporate boards, security teams and users in an organization better understand and respond to the cybersecurity challenges. The principles are:

  1. Security must support the business.
  2. Security must work with existing architecture – and be usable.
  3. Security must be transparent and informative.
  4. Security must enable visibility and appropriate action.
  5. Security must be viewed as a “people problem.”

Author: Steve Wexler

Share This Post On

Leave a Reply