Cybersecurity has always been a dynamic and fluid field. Threat actors are constantly discovering new vulnerabilities and developing innovative attack techniques, forcing security teams to continually play catch up.
Unfortunately, acquiring the capabilities needed to deal with the latest threats can be a time-consuming process. Immersive Labs’ recent Cyber Workforce Benchmark report found it takes an average of three months (96 days) for cybersecurity teams in large organisations to develop the skills necessary to defend against breaking cyber threats.
That means most organisations spend an agonising 90 days wide open to the attack tactic – a serious issue in a threat landscape where thousands of vulnerabilities are being discovered every year.
What impact is this delay having on cyber resilience, and how can organisations get up to speed?
The challenges in delivering new cyber skills
Being presented with an unfamiliar scenario in a high-pressure and high-intensity environment increases the likelihood of making snap decisions based on instinct rather than logic. This is fine when the issue is a familiar one but when faced with new and complex scenarios, a traditional solution is likely to be the wrong solution.
This is a huge problem in cybersecurity, where high-speed attacks like ransomware demand decisive action. Security professionals on the ground need to act quickly to contain and limit a threat, while strategic decision makers must make tough choices such as whether to pay a ransom demand.
Individuals are more likely to make the right call in a cyber crisis if they have exercised frequently in a safe environment that enables them to test innovative ways of working.
However, the current three-month delay in gaining this experience is not sustainable. Indeed, regulatory bodies suggest that security teams should be able to identify and patch vulnerabilities within 48 hours of a ransomware attack.
Learning is a naturally iterative process, so developing new skills and building experience always takes time. Individuals must start with the basics and understand the “what” of a situation before they can move on to the more in-depth “why”. Having both layers of understanding is important for a truly effective crisis response.
What can be done to overcome this challenge to increase the pace?
Catching up with cyber threats
Attempting to catch up to each new threat as it emerges will leave security teams at a perpetual disadvantage. If they’re lucky, they might manage to catch up with the cyber criminals before the next threat emerges. This has a negative impact on both organisational and personal resilience.
To break out of this cycle, organisations need to look at learning and development as a proactive and continual cycle, not as a reactive measure to each new threat.
One of the most effective ways to achieve this is through exercises that simulate a critical cyber attack, such as a ransomware outbreak. A crisis simulation should be an accurate reflection of a real attack, customised to fit the organisation’s unique operational specifics.
These exercises should be more than a simple technical challenge and should seek to emulate the pressure of a real cyber threat to test the participant’s ability to respond in a real crisis. This can best be achieved by providing context, enabling participants to see the impact their decisions are having on the simulated version of their company, from operational catastrophes to ruinous financial damage.
Regularly going through scenario-driven exercises will help individuals and teams to build the experience needed to respond effectively in a crisis. Even if the specifics of a new threat still take some time to master, this experience will provide a useful baseline to draw on for an effective response.
How can organisations optimise their workforce for crisis response?
One of the most effective approaches for improving crisis response is a model known as Cyber Workforce Resilience. This method takes the entire organisation into account, since a cyber attack will target and impact any individual or department, not just security experts.
This people-centric approach to cybersecurity also takes an iterative, data-driven approach. Each crisis exercise delivers insights that can be used to highlight the areas most in need of improvement for future development.
For example, our research found that security teams often got to grips with some areas much more effectively than others. Learning exercises around areas like attack impact and data collection were completed relatively quickly and easily, while more complex exercises like addressing initial access and privilege escalation not only took longer but had a higher rate of abandonment.
It was also apparent that teams were able to get up to speed with some threats more quickly than others. The Log4J software flaw only took two months for large firms, for example, while the Exim vulnerability took more than six.
Pinpointing data points like this will enable firms to prioritise their investment in development programmes to deliver the best results.
Giving security teams experience across a variety of cyber crisis will enable them to take on emerging threats with a cool head, holding the fort as they continue to build specific skills.
About the Author
Bec McKeown is Director of Human Sciences at Immersive Labs. Immersive Labs is the leader in people-centric cyber resilience. We help organizations continuously assess, build, and prove their cyber workforce resilience for teams across the entire organization, from front-line cybersecurity and development teams to Board-level executives. We provide realistic simulations and hands-on cybersecurity labs to evaluate individual and team capabilities and decision-making against the latest threats.
Featured image: ©Alex