Basic Enterprise Security Hygiene is Still Essential

Patching and updates are critical, yet can be daunting. Security pros can lessen the burden with outsourcing and automation.

istock 1061357610 blog3 cisco
anyaberkut

Basic security hygiene, such as patching and updates are time-consuming and never-ending for IT security personnel.

“It’s no shocker that patching causes a lot of fatigue and anxiety,” says Sean Frazier, Advisory CISO at Cisco. “Many organizations have a long tail of technology, a lot of legacy to maintain, while also constantly deploying new technologies. Both the old and the new must be patched and updated. Sometimes that requires different skill sets or a different time cycle, but it’s all additive. The patching problem never gets less, it’s always more.”

And yet, the consequences of not conducting basic security hygiene such as patching and updates can be costly, according to the Cisco 2020 CISO Benchmark Study:

  • 46% of organizations suffered security incidents due to unpatched vulnerabilities, up from 30% the previous year
  • 38% of these companies reported data losses of 10,000 records or more

But there’s good news: the study also found that organizations that consistently practice security routines report lower breach costs.

Outsourcing enhances security hygiene

Enterprises must improve their security hygiene. Now.

“Threats occur a lot faster than five or 10 years ago, even a couple of years ago,” Frazier says. “The problem is more acute. And the more acute, the faster that things like patching have to get done.”

Outsourcing, he suggests, can offer that speed. Considering how complex environments have become, the addition of just one new technology has a knock-on effect to multiple layers, including hardware, operating system, application, and data.

“Outsourcing used to be a conversation around cost reduction,” he says. “But with today’s complexity, it’s really about speed-to-patching and speed-to-adapting to new things.”

Certainly, it’s also still about cost efficiencies, which is the number one reason for outsourcing, according to the Benchmark Study. Maintaining and updating these complex IT environments has become too time-consuming for in-house resources.

“If you think about the dollars spent on just keeping systems running, let alone keeping systems up-to-date from a security perspective, it’s pretty daunting,” Frazier says. “If I can get out of the business of patching the entire stack, that helps me free up some of my resources.”

Automating security basics

Similar to outsourcing, automation is helping organizations improve patching and update efforts. The Benchmark Study found that 77% of respondents plan to increase investments in automated solutions that simplify and speed response times in their security environments.

Frazier advocates for level-setting and risk assessment before diving into automation. That includes understanding the organization’s inventory of systems, applications, and platforms that serve up data —both in-house and in vendor-based data centers.

“One thing that struck me in the Benchmark report,” he says, “is that folks who have clear security objectives are looking at high-value assets and inventory. If you’ve done the planning, you’re usually better off because you understand what you’re protecting, and you understand the risk posture. If you don’t do that planning, then your teams are going to experience fatigue and anxiety.”

Another piece of advice toward taking care of basic security hygiene: Get everyone involved.

“We have a famous saying here, which is: ‘Everybody is in security.’ It is not just about the security team. It has to be embedded into everything that you do as an organization. In my view, security is dial tone. It’s got be everywhere.”

Cisco has solutions to help embed and integrate security throughout your organization.

For more information, visit: https://www.cisco.com/c/en/us/products/security/index.html

Related:

Copyright © 2020 IDG Communications, Inc.