How fast can organizations respond to a cybersecurity crisis?

Immersive Labs launched an analysis of human cyber capabilities. The report analyzed cyber knowledge, skills and judgment from over half a million exercises and simulations run by more than 2,100 organizations in the last 18 months. These were broken down to understand the workforce cyber capabilities of cybersecurity, application security and crisis response teams.

Key findings

Analysis of 35,000 cybersecurity team members inside 400 large organizations reveals it takes over three months (96 days) on average to develop the knowledge, skills and judgment to defend against breaking threats, except with Log4j. Infrastructure and transport are the two slowest sectors, taking an average of more than four months (137 days) to ensure skills development after a threat emerges.

A long lag in human capabilities contrasts significantly with the widely accepted need for swift technical remediation. Government cybersecurity bodies, for example, suggest patching as quickly as 48 hours after a vulnerability emerges. Log4j was an exception to this rule, with cybersecurity teams developing human capabilities within just two days.

Cybersecurity teams prioritize knowledge, skills and judgment development against high-profile threat groups. The top five groups of interest, in order, are UNC2452 (Solarwinds), Iranian Threat Groups, Fin 7, Hafnium and Darkside. Capability development is significantly more rapid with such groups. The knowledge, skills and judgment to defend against SolarWinds, for example, was built nearly eight times quicker than average.

The frequency of organizations conducting cyber crisis exercises varies significantly across sectors. Analyzing over 6400 crisis response decisions shows that technology and financial services companies prepare the most for cyber-attacks, running nine and seven exercises per year respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year.

Ransomware causes great uncertainty for crisis response teams. Seven out of the top 10 least confidently answered crisis scenarios across the entire platform were focused on this threat. When asked, 83% of all organizations chose not to pay the ransom; however, 18% of Government crisis response teams did, despite often being against official guidance.

Application security teams develop human cyber capabilities faster than cybersecurity teams. Analysis of 43,000 hands-on application security exercises shows that 78% are completed faster than expected, as opposed to just 11% for cybersecurity labs. The average application security exercise is completed 2.5 minutes under the predicted complete time – but cybersecurity labs take 17 minutes longer than expected.

The cybersecurity talent of tomorrow struggles to engage with application security. Pointing towards a potential future problem for the industry, of the 176,000 exercises completed by university students and other groups aiming for a career in cybersecurity, application security skills have the lowest engagement rate – a quarter of that of offensive cybersecurity skills. In fact, only 0.5% of all the labs completed focused on application security. With insecure software being the cause of some of the largest breaches of 2021, this highlights a burgeoning future problem for the industry.

Rebecca McKeown, Director of Human Science at Immersive Labs and ex-military psychologist, said, “The data on the time gap between threats breaking and people having the ability to defend against them shows a need for faster time to human cyber capability for large organizations. Without this, people will potentially be making decisions founded in unhelpful biases.”

“Cybersecurity presents a unique skills development challenge for humans. Responding to a hybrid real-world and digital battlespace which is always changing means continuous skills development is crucial to preventing skills decay and building cognitive agility.”

“The insights produced by this report underscore the need for large organizations to have visibility of the cyber capabilities of their workforce, ” said James Hadley, CEO of Immersive Labs. “Without measuring the ability of technical and non-technical teams to mitigate risk, a critical part of resilience is missing. Gaps in cyber knowledge, skills and judgment can have the same impact as technical vulnerabilities.”