Study Finds Response Time to Threats Improved, Resilience Efforts Still Fall Short
Immersive Labs’ research finds average response time shortened from 29 to 19 days between 2021 and 2022, with lessons from Log4j and other high-profile vulnerabilities having a significant impact on urgency levels.
Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.
Immersive Labs released the second edition of its annual Cyber Workforce Benchmark Report, which offers a deeper look at organizations’ resilience to threats (or lack thereof) through analysis of proprietary data over a one-year period. The study found that, on average, organizations’ response time to cyberattacks was reduced by approximately one-third -- from 29 to 19 days -- from 2021 to 2022, which can be attributed to the urgency and need for fast response times amid the fallout of the Log4j crisis and other high-profile vulnerabilities over the last year.
Immersive Labs’ research is based on organizations’ performance completing real-life cyber simulations spanning 1.1 million exercises and labs spanning technical staff to executives during a 12-month period from April 2022 to April 2023. Immersive Labs’ unique Resilience Score was a key factor in measuring and gauging trends against industry benchmarks. The goal of this report is to empower cyber leaders with insights to address strategy gaps, mitigate risk, and build lasting resilience to threats across the workforce.
Improvements to organizations’ median time to respond to new threats reveals a great deal about the overall state of cyber resilience, since faster response time means a smaller window of vulnerability and a lower risk of negative impact to the business. The Log4j crisis, for example, was a watershed moment that served as a catalyst for this urgency given its catastrophic impact. Although the initial discovery of Log4j dates back to December 2021, it continues to be a chart-topper among users of the Immersive Labs platform because two of the top five most frequently attempted CVE labs over the last year were Log4j-related.
“Leaders should ensure that their workforce -- at all levels of experience -- stays current with emerging threats, and get proof of their teams’ knowledge, skills, and judgment to quickly and effectively respond to threats,” said Immersive Labs CEO and founder James Hadley. “Our report’s insights underscore the critical importance of consistently conducting realistic exercises to assess skills gaps and fill them before it’s too late -- but just as important, if the worst case scenario does happen, knowing how to best handle incidents ‘after the boom’ to mitigate fallout.”
Immersive Labs’ research data also revealed several other notable patterns emerge including:
- Organizations aren’t preparing their workforces enough for after-incident responses. To effectively reduce risk, organizations must be prepared before and after an incident. Although organizations are ensuring that cyber resilience activities span the MITRE ATT&CK framework, Immersive observed a notable bias towards the earliest stages of the attack life cycle, suggesting security leaders are potentially leaving their organizations exposed to after-incident risk.
- Seasoned cyber pros are more complacent in their skills than junior staff. Junior staff tend to challenge themselves with more difficult exercises and are more likely to stay current with new threats compared to more experienced cyber professionals. More junior workers on average complete content that is more difficult than more experienced professionals. However, to effectively prepare for cyber threats, individuals at all stages of their career need to be prepared for the latest threats.
- Cyber resilience is rising globally amid more sophisticated threats. Modest gains were made in achieving resilience, especially those that focused on key areas such verifying the skills of new talent (46%) and assessing security team capabilities in realistic scenarios (30%) amid more sophisticated cyber threats.
- Financial services firms are the top individual performers. Holistically, regulated industries only marginally outperform less-regulated peers, with a 6% difference across key resilience metrics, showing that regulated industries on average are not substantially better prepared for attacks than less-regulated industries. Nevertheless, financial services firms tend to perform the best, as the industry represents seven of the top 10 overall performers, which can be largely attributed to their commitment to continuous exercising and benchmarking their teams, creating organizational competence.
Download the 2023 Cyber Workforce Benchmark Report here. (Short registration required.)