<- All Blogs
Cybersecurity
Exercising

The Problem of Cyber Pro Complacency and other Findings from our 2023 Cyber Workforce Benchmark Report

Written by
Immersive Labs
Published on
October 10, 2023

As organizations around the world grapple with increasingly sophisticated cyber threats, the concept of cyber resilience – the ability to prepare for and respond effectively to cyber threats – has taken center stage, reshaping strategies and demanding continuous evolution.In this blog post, we explore the intricacies of cyber resilience uncovered in our recent 2023 Cyber Workforce Benchmark Report, including why continuous cyber skills exercising is vital to resilience and the critical need for comprehensive preparedness.The power of continuous cybersecurity exercisingIn the face of an ever-adapting digital landscape, organizations have witnessed year-over-year increases in some facets of cyber resilience. Notably, those who conduct regular cybersecurity exercising against emerging threats tend to perform better, than those who exercise their people more sporadically. This is heartening given the advent of new threats such as those posed by Generative AI.Junior staff challenge themselves more than seasoned cyber prosSeasoned experts often display a surprising degree of complacency in their skills compared to their junior counterparts. This insight underscores the dynamic nature of the cyber landscape and underscores the importance of ensuring cyber professionals at all levels of experience are keeping up with the latest threats.Improvements in response times to attacksOrganizations have made significant strides in their response times to emerging threats. The median response time has witnessed a notable reduction, reflecting an increased agility and a deeper knowledge in addressing newly discovered vulnerabilities. Incidents like the Log4j crisis have played a pivotal role in catalyzing this progress, underscoring the indispensable role of real-world events in shaping cybersecurity priorities.The impact of regulations: a mixed bagWhile regulated industries may appear poised to outperform their less-regulated counterparts, the reality paints a more nuanced picture. Despite a marginal 6% difference in key resilience metrics, the advantage of regulations does not inherently translate into substantial preparedness. The exceptional performance of certain Financial Services firms within regulated industries emphasizes the significance of cultivating a robust cybersecurity culture from within. This serves as a poignant reminder that consistent team and individual exercises are essential across industries to ensure effective cyber defense.The crucial blind spot: after-incident response preparationAmid the growing awareness and commitment to cyber resilience, organizations confront a critical blind spot: the readiness of their workforces for post-incident responses. While progress has been made in aligning cyber resilience activities with frameworks like MITRE ATT&CK®, a notable bias towards the initial stages of the attack lifecycle persists. This revelation underscores the need for a comprehensive approach that encompasses both prevention and response to achieve effective risk reduction.Forging ahead in an ever-shifting landscapeOur 2023 Cyber Workforce Benchmark Report reveals the real progress, challenges, and the ongoing journey cyber leaders face on the road towards comprehensive resilience.To increase your cyber resilience today, here is a checklist of 5 items supported by this year’s report:

  1. Make cybersecurity a strategic Board and C-level priority: Making cyber a strategic priority means recognizing its importance and integrating it into the highest levels of the decision-making processes across an organization, including at the Board and C-level.
  2. Build a rock-solid cybersecurity culture across the workforce:
  3. Beware cybersecurity overconfidence or complacency: Seniority doesn’t necessarily mean readiness for threats. To stay current with emerging threats, staff of all experience levels need to continue their skills development so they have the knowledge and judgment to effectively respond to threats.
  4. Don’t be sporadic. Continuously exercise and prove capabilities: One-off cyber skilling “fire drills” won’t do. Leaders need to regularly and consistently conduct cybersecurity exercises to assess skills gaps and fill them before it’s too late.
  5. Ensure preparedness for both before, and after, an incident: Ensuring coverage across all of MITRE ATT&CK framework means establishing workforce preparedness for before and after the boom to avoid weaknesses in any particular area.

To learn more about these and other findings, download the 2023 Cyber Workforce Benchmark Report now.

Share this post