“Where
do
we
start?”
This
is
the
question
every
CISO
asks
about
every
new
program.
In
fact,
I
ask
and
answer
that
question
many
times
a
month.
There’s
a
reason
for
this,
of
course.
A
strong
start
to
any
project
builds
momentum,
reassures
stakeholders,
and
sets
the
stage
for
what’s
to
come.
Security
resilience
initiatives
are
no
different.
Security
resilience
is
the
ability
to
anticipate
and
respond
to
unpredictable
threats
or
changes,
and
then
emerge
stronger.
It’s
hard
to
imagine
a
more
vital
undertaking
for
CISOs.
And
as
with
all
initiatives,
CISOs
always
want
to
know
where
to
begin.
They’re
likely
to
find
some
valuable
starting
points
in
the
Security
Outcomes
Report,
Volume
3:
Achieving
Security
Resilience,
the
latest
in
a
series
of
reports
released
by
Cisco
and
reflecting
the
viewpoints
of
4,700
IT
and
security
professionals
from
26
countries.
The
report
identifies
seven
success
factors
CISOs
can
pursue
to
improve
outcomes
within
their
own
enterprise
security
resilience
programs,
placing
a
high
priority
on
security
resilience.
The
seven
success
factors
range
in
nature
from
the
architectural—simplifying
your
hybrid
IT
environment,
maximizing
zero
trust
adoption—to
more
relationship-focused
factors.
It’s
the
latter
that
caught
my
eye.
Seven
success
factors
for
resilience:
-
Establish
executive
support -
Cultivate
a
culture
of
security -
Hold
resources
in
reserve -
Simplify
hybrid
cloud
environments -
Maximize
zero
trust
adoption -
Extend
detection
and
response
capabilities -
Take
security
to
the
edge
Solid
relationships
enable
security
resilience
It
shouldn’t
surprise
any
CISO
that
the
first
two
success
factors
are
built
around
relationships.
These
factors
zero
in
on
relationships
with
company
leadership
(as
measured
by
establishing
executive
support)
and
relationships
with
people
across
the
organization
(as
measured
by
cultivating
a
culture
of
security).
Experienced
CISOs
know
that
these
factors
can
make
or
break
security
initiatives.
Given
the
objective
of
security
resilience
is
to
withstand
threats
and
come
back
even
stronger,
it’s
clear
that
resilience
must
exist
before,
during,
and
after
a
cybersecurity
incident.
This
has
repercussions
on
the
executive
level
and
throughout
the
business.
Lack
of
executive
support
can
lead
to
detection,
response,
and
recovery
capabilities
that
are
chronically
underfunded.
This
leaves
CISOs
at
a
disadvantage
when
security
incidents
do
inevitably
happen
and
panic
strikes
the
C-suite.
What’s
more,
CISOs
who
lack
strong
executive
relationships
may
also
find
themselves
struggling
to
oversee
incident
management
and
coordinate
communications.
And
afterward?
Remediating
and
improving
the
security
posture,
which
often
impacts
multiple
parts
of
the
organization
beyond
IT
and
often
requires
significant
investment,
stalls
without
a
necessary
lift
from
leadership.
The
security
report,
which
scores
resilience
levels
across
a
series
of
criteria,
finds
that
organizations
reporting
a
strong
backing
from
leadership
have
resilience
scores
that
are
39%
higher
when
compared
to
organizations
reporting
weak
support.
“Bridges
to
the
C-suite
are
built
upon
a
solid
understanding
of
how
the
business
works
and
how
security
initiatives
can
make
it
work
even
better,”
notes
the
report.
“Support
goes
both
ways
in
any
relationship,
after
all.”
In
addition
to
keeping
the
program
aligned,
CISOs
must
keep
in
communication
with
their
peers
and
superiors.
Those
who
share
only
transactional
relationships
within
the
C-Suite
find
their
interactions
limited
to
status
updates
and
budget
requests.
Transformational
relationships,
however,
involve
more
frequent
and
deeper
communication
and
interactions,
which
cover
a
broader
set
of
topics
than
submitting
the
latest
budget
ask.
They
are,
in
other
words,
more
valuable.
A
security
culture
can
create
willing
resilience
partners
Of
course,
executive
support
is
just
one
crucial
factor
for
success.
Resilience
programs
need
broad
support
from
throughout
the
organization,
not
just
at
the
top.
Every
time
an
employee
picks
up
a
mouse
or
accesses
an
app
from
their
mobile
phone,
they
make
a
choice
to
either
strengthen
or
lessen
the
organization’s
security
posture.
Every
time
an
improvement
is
necessary
following
a
security
event,
cultural
buy-in
determines
whether
this
new
request
from
security
is
implemented
or
circumvented.
According
to
the
report,
organizations
that
successfully
foster
a
culture
of
security
can
see
a
46%
increase
in
resilience
compared
to
those
who
lack
such
a
culture.
Much
like
aligning
a
program
with
the
business
direction
furthers
leadership
buy-in,
CISOs
need
to
align
security
policy
with
the
functional
direction
of
the
business—but
in
a
way
that
helps
employees
see
security
measures
as
protecting
not
just
corporate
data
and
IT
assets
but
also
their
own
future.
When
employees
aren’t
on
board
or
see
security
measures
as
IT
concerns
with
no
relation
to
them,
resilience
suffers.
“Frequent
security
policy
violations
and
workarounds,”
notes
the
report,
“are
evidence
of
poor
security
culture.”
By
viewing
policy
exceptions
as
feedback,
and
investigating
these
from
the
perspective
of
identifying
and
correcting
misalignment,
security
leaders
can
enroll
employees
as
the
willing
participants
in
the
solution—rather
than
contributors
to
the
problem.
Security
leaders
know,
by
and
large,
what
we
need
to
do
to
secure
our
organizations.
We
have
frameworks
with
pages
of
controls.
We
have
risk
registers
with
lists
of
action
items.
Where
we
often
struggle
is
translating
this
knowledge
into
action.
To
do
that,
we
must
see
our
efforts
within
the
strategic
context
of
executive
leaders
and
the
tactical
reality
of
the
line
managers
in
our
organization.
We
must
personalize
and
prioritize
our
efforts
around
what
matters
to
the
people
we
collaborate
with.
It
is
through
engaging
people
that
our
security
programs
become
human-centric
and,
in
turn,
become
more
resilient.
Where
do
we
start?
With
relationships.
Good
relationships
lead
to
good
security
programs,
and
good
security
programs
lead
to
great
relationships.
And
all
of
these
contribute
to
security
resilience.
Download
the
Security
Outcomes
Report,
Vol.
3:
Achieving
Security
Resilience
today.
Explore
more
original
research
and
blogs
like
this:
We’d
love
to
hear
what
you
think.
Ask
a
Question,
Comment
Below,
and
Stay
Connected
with
Cisco
Secure
on
social!
Cisco
Secure
Social
Channels
Instagram
Facebook
Twitter
LinkedIn
About Author
