Cyber resilience programs are falling short

While 86% of organisations have a cyber resilience program, more than half of respondents say their organisation lacks a comprehensive approach to assessing cyber resilience.

  • Tuesday, 23rd May 2023 Posted 1 year ago in by Phil Alsop

Immersive Labs has published its 2023 Cyber Workforce Resilience Trend Report, conducted by Osterman Research. The report reveals a steady increase in cyberattacks and evolving threat landscape are resulting in more organisations turning their attention to building long-term cyber resilience; however, many of these programs are falling short and fail to prove teams’ real-world cyber capabilities. The report, which surveyed 570 senior security and risk leaders at UK, US, and German-based enterprises with at least 1,000 employees, found that while 86% of organisations have a cyber resilience program, more than half (52%) of respondents say their organisation lacks a comprehensive approach to assessing cyber resilience.

Strengthening cyber capabilities tops the list of strategic priorities for organisations in 2023, with increasing the cyber resilience of cybersecurity team members (83%) and the general workforce (75%) identified as the two highest overall focus areas. Organisations have taken steps to deploy cyber resilience programs; however, 53% of respondents indicate the organisation’s workforce is not well-prepared for the next cyberattack (of any kind) and just over half say they lack a comprehensive approach to assessing cyber resilience. These statistics indicate that although cyber resilience is a priority and programs are in place, their current structure and training are ineffective.

“Cyber resilience is at the top of everyone’s mind today, amid an evolving threat landscape where ransomware, supply chain risks, and vulnerabilities are chief among security leaders’ concerns. And while it's promising to see organisations and leaders implementing tactics and programs to increase cyber resilience, many unfortunately are still missing the mark,” said James Hadley, CEO & Founder of Immersive Labs. “Despite all the classroom training and certifications, half of respondents indicate that employees, cybersecurity teams, and the organisation are under-prepared. It’s clear that current programs need to be restructured to drive a successful cyber resilience agenda.”

Additional key takeaways from the research report are highlighted below, spotlighting the need for more – and modernised – cyber resilience programs across organisations, not just for the security team:

●        Organisations lack confidence that their general workforce will know how to respond to a cyber incident: For every two out of three organisations, there is a lack of confidence that 95% of their workforce will not know how to recover from a cyber incident. High-priority tasks include maintaining business operations without the availability of core IT systems, handling urgent tasks using manual processes, and not exacerbating the recovery process by connecting compromised devices to the network.

●        Organisations are questioning the reliability of industry certifications, classroom training, and ad hoc learning pathways to build cyber resilience: While almost all organisations encourage industry certifications, only 32% say they are effective at mitigating cyber threats. Classroom training is offered too infrequently to be effective, with only around a quarter (27%) of respondents indicating they are receiving monthly training. Almost half of respondents (46%) say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.

●        Most companies lack a framework with metrics to measure and demonstrate cyber resilience: Having the right metrics in place to prove cyber resilience amongst teams is important, particularly as Boards and C-level executives are looking for concrete evidence. Despite this, almost half (46%) of senior security and senior risk leaders say they do not have the metrics they need to fully demonstrate their workforce’s resilience in the face of a cyberattack. Only around 6% of organisations are using informative metrics – such as response times – to address vulnerabilities, track intrusion rates, metrics on internal data loss, and incidence rates of various threat types.

●        Communication with the Board and senior leadership about cyber resilience is imperative to drive change: During the past six months, a request for the security team to prove the organisation’s cyber resilience was only made by the Board at less than half (46%) of organisations. For the senior leadership team, at 51% of organisations. Raising awareness around the importance of cyber resilience is an important step in gaining more support from these critical leaders. When communicating with the Board and senior leadership, security and risk leaders should embrace cyber resilience messaging, rather than focusing on the status of piecemeal inputs, such as deploying new cybersecurity solutions.

“Any legacy cyber training approach that cannot deliver continuous exercising is not fit for purpose given the realities of today’s evolving cyberthreats,” added Hadley. “As organisations work to strengthen their cyber resilience agenda, they should focus on continuous assessment and building cyber skills and proving stronger outcomes. We need a renewed focus on better cybersecurity capability solutions and cultivating a workforce with the expertise to handle the real-world impact demands of new and emerging threats.”