A Holistic Approach to Cyber Resilience
Three ways your organization can build cyber resilience without additional investments in technology solutions.
- By Max Vetter
- October 16, 2023
The threat landscape continues to evolve, particularly as development and advancements related to generative AI gain momentum. Attackers are already leveraging AI to design and execute attacks, adding more pressure to already-stressed cybersecurity teams. Recent research has indicated that nearly all (84%) security leaders agree that their organization’s cybersecurity teams are feeling increasingly pressured to prepare for the next cyberattack.
To account for this increasing pressure, most organizations look at their tech stack to determine if they have the right tools and consider adding new ones to fill potential gaps that attackers might exploit. With new tools being rolled out from vendors on a regular basis, it's tempting to think that implementing the latest solution that promises to stop even the most sophisticated attacks will be enough.
Instead, we need to evaluate whether technology is truly enough to stop attackers. For years organizations have poured thousands of dollars into building their tech stack, with many overlooking the important role that the people within their organization play in preventing attacks. Building cyber resilience -- the ability and confidence to effectively respond to cyber threats -- among employees requires an investment beyond the technology. It requires an investment in a people-centric approach to cybersecurity.
Let’s explore three ways your organization can build cyber resilience without additional technology investments...
Implement Effective Training
Over the past year, we have seen response times to cyberattacks improve by about one-third, which is a great sign because it means a smaller window of vulnerability and a lower risk of negative impact on businesses.
However, there is still room for improvement. Nearly half (46%) of organizations indicate their employees would not know what to do if they received a phishing email -- despite years of security awareness training and phishing tests. Clearly, something isn't working.
The training methods most organizations use today are typically deployed too infrequently -- think monthly but more often quarterly -- and often have difficulty creating realistic scenarios. The problem with this cadence is that attackers evolve and change their techniques quickly. Once teams have completed courses about techniques from earlier in the month, it’s likely cyber criminals will have already evolved their tactics, leaving teams unprepared to handle their new strategies.
Instead, build cyber resilience among your teams by focusing on weekly real-world training sessions to keep teams agile. These types of training sessions keep teams engaged and are far more effective compared to the multiple-choice tests many programs utilize. This allows teams to not be so reliant on prewritten playbooks, to assess the attack, and to make the best decisions for the situation.
Eliminate Resilience on Industry Certifications
Although nearly all organizations (96%) encourage IT and cybersecurity teams to gain industry certifications, the effectiveness of these certifications in preparing team members with the skills they need to defend against attackers often comes into question. Case in point, new research found that only 32% of respondents agree that industry certifications are effective. As an industry, we must re-evaluate our overreliance on industry certifications and consider the limitations they present as organizations work to build resilience among their teams.
For example, one area in particular where we’ve seen certifications take too much focus is in talent recruitment. Naturally, organizations want to hire team members with experience, but for years the assumption has been that having specific certifications equates to having the right expertise.
This overemphasis on certifications means qualified applicants may be getting rejected early in the search process. It also creates a costly barrier to entry for early career and diverse security talent. Instead, the recruiting process should shift to focus more on candidate aptitude and capabilities. Certifications can be a consideration, but in today’s evolving threat landscape they shouldn’t be the deciding factor when selecting a candidate.
Building the Right Culture
Beyond investing in the right training techniques to build resilience, it is important for security leaders to set up the right culture for cybersecurity and ultimately build a strong cybersecurity foundation. To help meet today’s cybersecurity challenges, organizations should treat cybersecurity as a team sport, working with employees to adopt a collective responsibility mindset throughout the entire organization so as to not place blame or pressure on just the cybersecurity teams.
To start building this collective mindset, begin including employees outside of security teams in security training to avoid the blame game when an attack inevitably happens. Creating a stigma around cybersecurity mistakes will only stifle employees from escalating cybersecurity concerns or incidents in the future for fear of punishment. Not only does this help ease the burden security teams feel, but it also ensures that all employees know the appropriate steps to take when encountering a potential threat.
By focusing on creating a culture of understanding, employees outside the security team may be more open to learning from these incidents and identifying concerns in the future, ultimately giving your organization a more holistic view of the true state of its cyber resilience.
Cyber Resilience is a Team Effort
There may be no quick fix to cyber resilience issues, especially as concerns grow over emerging threats every day. However, there are steps your organization can take to build out its resilience capabilities and show overall improvements in your programs without spending your security budget on additional tools.
Internally, continuous skill-building across all roles and levels of experience with engaging, real-world exercises prepares all employees to recognize and easily respond to cyber threats. Externally, looking beyond certifications and structuring hiring processes around proven skills can help solve the cybersecurity talent shortage and help share the weight of overworked security teams.
A Final Word
With this three-pronged approach, leaders can be confident that their entire organization has the knowledge, skills, and judgment to respond to emerging threats. It can be easy to forget, but people will always be your best line of defense in your cyber resilience programs.
Max Vetter is the VP of cyber at Immersive Labs, which he joined in 2018. Vetter has helped customers identify, assess, recruit, develop, and retain cybersecurity talent. He has expertise in ethical hacking, open source intelligence (OSINT), and internet investigations specializing in darknets and cryptocurrencies.