Cyber resilience is a leading strategic priority today, and most enterprises are now pursuing programs to bolster their ability to mitigate attacks.
Yet despite the importance placed on cyber resilience, many organizations struggle to measure their capabilities or track their progress. They are essentially flying blind, relying on unreliable indicators such as historical attack response times or operating with no real framework in place.
Many organizations are stuck spinning their wheels, attempting to cobble together an assessment framework using indicators, tests, and metrics unrelated to resilience. A lack of accurate metrics also means many firms have little idea of their true capabilities, leading to a dangerous combination of overconfidence and under-preparedness.
How can enterprises start making meaningful improvements when it comes to cyber resilience?
Cyber resilience hinges on developing security skills and knowledge
The heart of cyber resilience lies not with the latest technology but with the organization’s workforce. Regardless of the company’s other investments, it is unlikely to see a meaningful increase in security if it does not invest in its people.
First and foremost, this means having access to security personnel with the right training and experience and ensuring they can continually learn and adapt to new threats.
But it also means non-technical staff. Senior executives without security backgrounds will be counted on to keep cool heads and make critical strategic decisions amid a serious and time-sensitive crisis. Finally, it means the ability for personnel throughout the company to recognize and respond to a broad range of cyber threats such as phishing.
Enterprises generally know that their workforce is an important part of their security strategy but are often unsure how to invest effectively.
Traditional cybersecurity training is often delivered ad-hoc using outdated learning methods, and primarily measuring attendance – not proven capabilities. This approach is far too slow and stilted to keep up with speed of cyber. Classroom training sessions are usually at least three months behind, so tactics and malware strains may already have fallen out of use by the time the team gets to grips with them.
Classroom settings are generally the default for the wider workforce, but courses are offered too infrequently, and participants are unlikely to engage and retain enough knowledge to change their behaviors meaningfully. Leadership may also engage in tabletop exercises, but again these are generally rendered ineffective by being too infrequent and too divorced from the reality of a real cyber crisis.
Certifications are no substitute for strategic direction
We have found that organizations often rely on industry certifications to guide their security training and development programs. But while they can provide a general direction for security professionals on how they might approach threats, they do little to address current specific threats or drive true preparedness.
Many security decision-makers have told us they lacked confidence in certifications having a meaningful impact on threat mitigation. Tellingly, most security hiring does not take certifications into account.
Truly increasing cybersecurity capabilities requires identifying skills gaps, filling them, and proving the increase in resilience to the company’s senior leadership.
Achieving this requires a purposeful and proactive approach to security skills and awareness.
A continuous approach is key
Driving cyber resilience requires a continuous approach to development. It’s been clear for some time that sporadic, classroom-based learning efforts are simply not delivering the results businesses need, either for cyber professionals or non-technical leadership and other staff.
Instead of relegating security development to a forgettable annual calendar reminder, a continuous approach must keep security at the forefront of mind throughout the year.
Security threats also need to be brought to life with realistic simulation exercises. This approach will provide a much more engaging experience for participants and a far more accurate indication of their abilities. Real-life exercises give far more insight into an individual’s mindset and potential than a certification’s often rote, static nature.
Security teams must be ready to respond rapidly and confidently to the latest emerging threats, aligned with industry best practices. They must have the right skills, from closing off newly discovered zero days, to mitigating serious incoming threats like attacks exploiting Log4Shell.
But they must also be able to apply them calmly and in control even if they face a looming crisis. This capability can only be developed through continuous exercise.
Using frameworks to focus security strategies
This activity must happen within a framework that defines the organization’s priorities and goals. Existing frameworks such as NIST make a good starting point, while firms should ideally create their own once they have the confidence and data to do so. The aim is for leaders to demonstrate the strengths and weaknesses of all teams and departments throughout their organization and compare this to industry benchmarks.
As organizations continually accept cybersecurity as a strategic priority, it is also essential that CISOs have a seat at the executive table. While this has become more common, some businesses still have their CISO report into the CIO, effectively rendering security as a subsection of IT. Having the CISO directly involved at the executive level will help ensure that the company’s security preparedness matches its confidence, ensuring that resilience is given the proactive strategic importance it requires.