With some darkening economic clouds on the horizon for 2023, most businesses are continuing to tighten their belts in preparation for leaner times ahead.
But while many organisations will be reining in spending, cybercriminal groups are unlikely to slow down the pace of their attacks. Businesses must ensure they can still protect themselves from incoming cyber threats, despite potentially needing to be more conscious of the spending required to do so. This means it is more critical than ever that all security spending delivers maximum ROI and genuinely makes a difference to an enterprise’s security standing.
How can firms ensure that their investments are making a real difference? A cyber resilient workforce is one of the most essential ways of mitigating threats.
The value of real experience
Improving cyber security awareness and knowledge among the workforce can have a powerful impact on the company’s ability to withstand an attack. This goes for the rest of the broader workforce, alongside those IT and security personnel with cyber as their primary focus. Developing cyber knowledge will enable personnel to better spot potential threats and improve their chances of making the right call in a crisis.
Security has long been a difficult area to develop for non-specialists due to its highly technical nature. Training has often been dull and unengaging, doing little to impart knowledge or experience that will be useful in an actual incident.
Instead, running regular cyber crisis simulations is one of the best ways to truly develop human cyber capabilities. Realistic exercises that reflect real threats to the organisation will help personnel engage with what can otherwise be an abstract subject.
These exercises are most effective when tailored to the organisation’s specific structure and threat profile. Further, different departments should also receive a bespoke experience reflecting their roles and responsibilities.
While the CISO and cybersecurity team play a key role, everyone has an important part to play in defending the business. The finance team, for example, must be aware of best practices around sharing data and authorising payments and know the most common social engineering tactics that will target them. They must also know when and how to elevate a potential threat to their security team.
Ensuring that the right people develop the right capabilities at the right time will boost cyber resilience, organisation-wide in the most cost-effective way possible.
The key to building genuine resilience
We often think of resilience as a fundamental personality trait. Some people are born with it, and some aren’t. But in reality, while some of us are naturally more resilient than others, it is still a skill that anyone can learn and develop.
Like any other skill, the key to boosting resilience is practice and experience. Accordingly, cyber crisis exercises need to be revisited regularly. Repeated exposure to crisis situations will enable participants to build better responses and cognitive agility.
When a cyber crisis such as a significant ransomware attack strikes, individuals will have familiar patterns of response to guide them and improve their chances of making the right calls.
It’s also important to remember that resilience should be developed at an individual and group level. Working through a crisis as a team will strengthen the group dynamic, build trust, and familiarise participants with their responsibilities both within the team and wider business.
Measuring development to deliver ROI
Regardless of the economic climate, quality and consistency are essential for making a real impact on cyber resilience. Costly one-off training sessions or certifications will do little to improve participants’ skills or knowledge, and a one-and-done approach will mean that any gains quickly fade.
The best way to achieve ROI is with a model known as Cyber Workforce Resilience, which provides more cost-effective cyber upskilling through threat simulations. This approach begins by analysing the organisation’s existing human cyber capabilities and pinpointing the areas most needing development. From here, a bespoke plan can be created to continuously build specific skills and knowledge required to stand up against the most prevalent cyber risks.
Performance data from each exercise is analysed to measure progress and highlight strengths and weaknesses. This is a highly granular process, providing insights by department, team, and individual performance as required. Perhaps a particular analyst on the security team displayed a high level of knowledge but crumbled under the pressure of a fast-moving ransomware attack. Or maybe the HR department proved especially susceptible to Business Email Compromise (BEC)-type phishing emails.
The Cyber Workforce Resilience model will enable the company to hone in on these issues and prioritise learning and development accordingly. By focusing on an approach of continual improvement guided by objective data, organisations can stretch their security budgets to maximise resilience in the year ahead. Not only is this approach less of a strain on budget, but it’s also more effective.
About the Author
Bec McKeown is Director of Human Science at Immersive Labs. Immersive Labs is the leader in people-centric cyber resilience. We help organizations continuously assess, build, and prove their cyber workforce resilience for teams across the entire organization, from front-line cybersecurity and development teams to Board-level executives. We provide realistic simulations and hands-on cybersecurity labs to evaluate individual and team capabilities and decision-making against the latest threats.
Featured image: ©FellowNeko