While most organisations have a cyber resilience program in place, more than half of them lack a comprehensive approach to assessing resilience, according to a study by Immersive Labs.
The study aimed at understanding business preparedness amidst growing incidents found a strong intent to strengthen cybersecurity capabilities driven by external threats.
“Rules of engagement for cyberthreat actors are constantly innovating to cause catastrophic and unavoidable situations,” said Michael Sampson, analyst at Osterman Research and author of the survey whitepaper. “Hence while cyber resilience is a hope for most organisations, the practices of building, testing, and improving cyber resilience are still immature at most organisations.”
The study, commissioned through Osterman Research, surveyed 570 respondents in senior security and risk roles in organisations with over 1000 employees. The survey was conducted in the United States, United Kingdom, and Germany.
Cyber resilient, yet not
While a majority (86%) of organisations have a cyber resilience program, more than half (52%) of respondents said their organisation lacks a comprehensive approach to assessing cyber resilience.
These programs consist of a combination of cyber resilience strategies, plans, and/or infrastructure, with the majority being internally managed by organisations (51%). At the same time, a smaller portion is outsourced to third parties, such as consultancies (35%).
Companies lack proper metrics to assess cyber resilience with almost half (46%) of senior security and risk leaders missing suitable metrics to showcase their workforce’s resilience against cyberattacks, and only 6% utilising informative metrics like response times, intrusion rates, internal data loss, and incident rates of various data types.
“I was disappointed by the lack of strength in the metrics that organisations were using to assess cybersecurity capabilities and resilience,” Sampson said. “Most are relying on an assessment framework using indicators, tests, and metrics unrelated to resilience.”
The survey also indicated that less than half (46%) of organisations had the board request the security team to demonstrate the organisation’s cyber resilience in the past six months. This was 51% for the senior leadership team.
“It was also surprising to see organisations without metrics on cyber resilience who still report several times a year to the board of directors on cyber resilience,” Sampson added. “We don’t know what is being said in these cases, but obfuscation of the reality would be bad news for everyone involved. It would be great if the board of directors at organisations started asking for evidence and drilling down into what is informing that assessment of resilience.”
External threats, unreliable training are mong major concerns
Cybersecurity threats and issues are the leading drivers for onboarding cyber resilient programs. Sixty-three percent of respondents said they are concerned with ransomware, with 51% and 48% respectively being wary of supply chain and code exploit-based attacks.
“The challenge of immature cyber resilience is reinforced by the chaotic nature of the key concerns held by organisations — ransomware, supply chain and third-party attacks, and coding vulnerabilities,” said Sampson. “There are many aspects of these attack types that remain dynamic, chaotic, and out of the control of the organisation.”
Distrust with industry certifications emerged as a key concern in the survey. While almost all (96%) organisations encourage industry certifications, only 32% said they are effective at mitigating cyberthreats. Also, only 48% of organisations look for cybersecurity certifications in hiring processes, despite 96% of them indicating that they encourage IT and cybersecurity teams to earn certificates.
The frequency of classroom training is also insufficient to effectively address cybersecurity threats, as only approximately 27% of respondents receive monthly training.
“While certification and training have a role to play in developing competence with a topic or product, they are less well suited to assessing how an individual would apply that competence to an ‘in the wild’ event and in relationship with others on the team,” Sampson added.
Despite undergoing security awareness training and phishing tests for several years, nearly half of the respondents (46%) indicated that their employees would be uncertain about how to handle a phishing email.
The time gap between developing certification training content, individuals learning the content, and assessing their competence doesn’t align with the rapidly evolving threat landscape, leaving individuals consistently outdated in addressing current cyberthreats, according to Sampson.
The study concluded that organisations need to prioritise cybersecurity efforts that focus on developing skills, knowledge, and judgment across the workforce, while actively evaluating and addressing resilience levels and cybersecurity skills gaps, to effectively tackle new and emerging threats in a rapidly evolving cybersecurity landscape.