Seasoned cyber pros are more complacent in their skills than junior staff

Average response time accelerated from 29 to 19 days, from 2021 to 2022, with lessons from Log4j and other high-profile vulnerabilities having a significant impact on urgency levels, according to Immersive Labs.

Faster response time to new threats

Improvements to organizations’ median time to respond to new threats reveals a great deal about the overall state of cyber resilience, since faster response time means a smaller window of vulnerability and a lower risk of negative impact to the business. The Log4j crisis, for example, was a watershed moment that served as a catalyst for this urgency given its catastrophic impact.

While the initial discovery of Log4j dates back to December 2021, it continues to be a chart-topper among users of the Immersive Labs platform as two of the top five most frequently attempted CVE labs over the last year were Log4j-related.

“Leaders should ensure that their workforce – at all levels of experience – stays current with emerging threats, and get proof of their teams’ knowledge, skills and judgment to quickly and effectively respond to threats,” said Immersive Labs CEO James Hadley. “Our report’s insights underscore the critical importance of consistently conducting realistic exercises to assess skills gaps and fill them before it’s too late — but just as importantly, if the worse case scenario does happen, knowing how to best handle incidents ‘after the boom’ to mitigate fallout.”

Cyber resilience is rising globally

To effectively reduce risk, organizations must be prepared before and after an incident. While organizations are ensuring that cyber resilience activities span the MITRE ATT&CK framework, researchers observed a notable bias towards the earliest stages of the attack lifecycle, suggesting security leaders are potentially leaving their organizations exposed to after-incident risk.

Seasoned cyber pros are more complacent in their skills than junior staff: Junior staff tend to challenge themselves with more difficult exercises and are more likely to stay current with new threats compared to more experienced cyber professionals. More junior workers on average complete content that is more difficult than more experienced professionals. However, to effectively prepare for cyber threats, individuals at all stages of their career need to be prepared for the latest threats.

Modest gains were made in achieving resilience, especially those who focused on key areas such verifying the skills of new talent (46%) and assessing security team capabilities in realistic scenarios (30%) amid more sophisticated cyber threats.

Financial services firms are the top individual performers: Holistically, regulated industries only marginally outperform less-regulated peers, with a 6% difference across key resilience metrics, showing that regulated industries on average are not substantially better prepared for attacks than less-regulated industries.

Nevertheless, financial services firms tend to perform the best, as the industry represents seven of the top 10 overall performers, largely attributed to their commitment to continuously exercising and benchmarking their teams, creating organizational competence.