Chief information security officers never seem to get a break, whether the new challenge comes from well-funded adversaries, increased business risk, new regulations, tight budgets, or talent shortages. Cisco’s CISO Benchmark Study for 2020 offers some perspective on the dynamic nature of security work as well as some best practices to make life a little easier and data somewhat more secure.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
The “Securing What’s Now and What’s Next: 20 Considerations for 2020” covers everything from spending priorities to testing breach response plans to new mobile threats. Here are 16 best practices from the report.
Collaboration helps cybersecurity
Breaking down data and departmental silos has a financial upside. Most network and security teams report close collaboration. The report authors looked at the connection between collaboration and the cost of the worst data breaches. Companies that had very or extremely strong collaboration between security and networking teams or endpoint management and networking teams showed significantly lower breach costs that were less than $500,000.
Implement Zero Trust to tighten cybersecurity
Threats from mobile devices are now the biggest security threat with more than half of the respondents said mobile devices are now very or extremely challenging to defend. Last year user behavior was the biggest challenge.
SEE: Top Android security tips (free PDF) (TechRepublic)
Cisco recommends a Zero Trust Framework to improve mobile security. This approach authenticates users, checks devices, and limits where a user can go. To develop a zero trust security model, companies should take these steps:
Establish a clear identity and access management strategy that includes multi-factor authentication (MFA)
- Create an up-to-date asset inventory that distinguishes between managed and unmanaged devices
- Create a trusted device policy that prompts users to update their devices against measured vulnerabilities
- Control user access through a centrally managed policy that identifies and acts upon exceptions
- Build an architecture and set of processes that enables users to access on-premise and cloud applications
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
The survey found that only 27% of organizations are using MFA. The industries with the highest adoption rates are software development, financial services, government, retail, manufacturing, and telecommunications.
Test your response plan to prepare for cyberattack
The survey identified nine best practices that could keep the costs of a breach under $500,000 or even less than $100,000. These tasks include:
- Review and improve security practices regularly, formally, and strategically over time
- Regularly review connection activity on the network to ensure that security measures are working as intended
- Integrate security into the organization’s goals and business capabilities
- Routinely and systematically investigate security incidents
- Put tools in place to provide feedback about security practices
- Increase security controls on high-value assets as necessary
- Integrate security technologies
- Keep threat detection and blocking capabilities up to date
- Make it easy to determine the scope of a compromise, contain it, and remediate
The survey found that there is a tangible ROI in implementing a baseline patch policy. Forty-six percent of respondents were more concerned about unpatched vulnerabilities in this year’s survey, compared with 30% last year. Breaches caused by unpatched vulnerabilities resulted in more data loss as well. Thirty-eight percent of organizations that lost data this way said the impact was 10,000 data records or more. Among companies who hadn’t suffered a breach from an unpatched vulnerability, only 27% lost 10,000 or more records.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic)
The sixth annual survey included 2,800 IT decision-makers from 13 countries. The research team also spoke with a panel of CISOs to analyze the findings and build the list of 20 considerations for 2020.