While cyber resilience programs are in place in most organizations, more than half those asked in a recent survey expressed concern about how effective they were, and about how well prepared the business was to deal with cyber attacks.
The lack of reliable criteria on which to assess the level of resilience was a major concern, and more than half those who responded said their organization lacked a comprehensive approach to assessing cyber resilience. With regulators on both sides of the Atlantic increasing their focus on cyber resilience, the research reveals there may be trouble ahead.
The survey was carried out by Osterman Research for Immersive Labs in November 2022. The 570 respondents were senior risk and security professionals at organizations with more than 1,000 employees in the UK, US and Germany, working largely in financial services, tech and consulting.
Strategic priority
Cyber resilience emerged as the top strategic and spending priority, with the threat of cyber attacks, particularly ransomware attacks, chief among concerns. But, says the report: “Half of organizations are flying blind across a wide range of cybersecurity indicators despite having cyber resilience programs in place”. This is because: “Organizations are attempting to cobble together an assessment framework using indicators, tests, and metrics unrelated to resilience.”.
The research found that 80% of organizations ranked improving the resilience of the cybersecurity team and the general workforce as the highest priority. The focus on upskilling existing team members rather than hiring new cyber security professionals is seen as partly a recognition of the skills gap in the market, but also of the necessity to improve skills and awareness across teams and structures.
While 54% of those surveyed said they had the metrics they needed to demonstrate the resilience of their workforce in the face of a cyber attack, that implies 46% do not. Of that 46%, the survey found that just under half report to their board several times a year on cyber resilience. “The only valid report under these circumstances”, the report concludes, “is to say ‘we have no idea’. If anything else is claimed, senior security and security risk leaders are deceiving the board of directors and setting the organization up for massive failure.”
The survey asked how organizations measured the cyber capabilities of teams and individuals. The results are described as “haphazard steps towards a framework”. The five most common responses were;
- Response times to historical cyber threats (9.8% of responses)
The problem here, says the report, is that this offers only an approximate assessment of cyber capabilities for future incidents.
- No framework for assessment (9.3% of responses)
This means cyber resilience is being left to chance. And the report says: “Shockingly, many organizations in this group believe nonetheless that their cyber security team and the general workforce will be able to perform the relevant tasks needed to recover from the next cyber incident – based on no evidence.”
- Some type of testing method (6.5% of responses)
Employees would either be tested alone or against others, with phishing simulation tests being widely used. The trouble is, says the report, “measuring cyber capabilities requires assessing cooperation across a team, not competitive stack ranking of individuals”. It also points out that phishing simulation tests only show how an individual responds to a single type of threat.
- NIST Cybersecurity Framework (6% of responses)
While this framework does offer standards and guidelines, it needs to be tailored by each organization using it, and NIST does not offer a certification program.
- Cyber security metrics (5.6% of responses)
These include response times to addressing vulnerabilities, tracking intrusion rates, internal data loss metrics and incidence rates. Visualisations of these can provide real insight.
One of the report’s key conclusions is to say: “All boards receiving regular reports on the cyber readiness of their organization need to start asking the messenger a question: How do you know?”
Ad hoc and reactive
The report’s findings also reveal weaknesses in the approach to improving cyber resilience at many organizations, with cyber security team members “relying on ad hoc and reactive learning pathways to get up to speed on the latest vulnerabilities”. Individuals are left to find the right conferences and forums to attend, with content at conferences too often outdated by the time it is approved and delivered.
This also means the focus is on the learning interests of the individual rather than developing a structured mechanism for the whole team, and learning is disconnected from the resilience objective.
Responses revealed that classroom training is offered in almost all organizations. But, says the report, “cyber threats move at the speed of cyber, classroom training does not”. Instead, organizations need to deliver continuous training.
While 96% of the respondents placed a high emphasis on industry certification, only 32% rate them as “very effective” and only 48% check for certifications during the hiring process. The report observes: “Organizations face financial outlay and lost productivity for technical teams to achieve and maintain industry certifications, yet these certifications are proving ineffective at mitigating cyber threats.”
Cause for concern
Overall, the survey results indicate cause for concern. Asked if they thought their organization was well prepared for a cyber attack of any kind, 53% said no, and almost half (46%) doubted their employees would know what to do if they received a phishing email. At half of the organisations surveyed there was a lack of confidence that executives would respond well to a cyber incident, and two in three lacked confidence that that general workforce would know how to respond.
The report concludes: “To prepare for future threats, organizations urgently need to implement ways to better evaluate current resilience levels and fill cyber skills gaps. In driving the cyber resilience agenda, a comprehensive approach that assesses competence, builds team-level skills, and highlights gaps is essential.”
The Cyber Workforce Resilience Trend Report is available to download in full on the Immersive Labs website.