#RSAC: What Makes a Security Program Measurably More Successful?

There are a lot of common activities that security professionals will often associate with enabling a successful security program, but which ones actually work? That's a question that was answered in a keynote session on May 20 at the 2021 RSA Conference.

Wendy Nather, head of advisory CISOs at Cisco, worked together with Wade Baker, partner and co-founder and professor at Cyentia Institute and Virginia Tech, to conduct a survey and the associated Cisco 2021 Security Outcomes Study. Nather explained that the report looked at 25 different common security practices grouped under three top-level categories: Business & Governance, Strategy & Spending, and Architecture & Operations.

"We wanted to find out, does anything matter in security?" Nather said.

What Makes a Successful Security Program

The good news, according to Baker, is that most common security practices do in fact lead to some kind of positive outcome, though some are more successful than others.

"What we do in security matters. There is good evidence here that these standard practices, all of which by the way are pretty general, do actually achieve the outcomes that people tell us that they want to achieve," Baker said.

Nather said that, in particular, there were five common practices that were the most connected to an organization's having a successful outcome:

Proactive tech refresh
Well-integrated tech
Timely incident response
Prompt disaster recovery
Accurate threat detection
What we do in security matters. There is good evidence here that these standard practices . . . do actually achieve the outcomes that people tell us that they want to achieve.Wade Baker ..

Support the originator by clicking the read the rest link below.