<- All Blogs
Cyber Crisis Sim

Osterman Research Part 1: Out of sync with the threat landscape

Written by
Immersive Labs
Published on
August 12, 2020

Today, we released one of the few definitive reports on cyber crisis preparedness. Compiled alongside Ostermann Research, it taps into the collective consciousness of around 400 CISOs and senior security leaders at organizations with more than 500 employees.

We set out to understand how influential security professionals prepare for the worst. The main trends we uncovered will be analyzed in three blogs over the next week. If you’re keen to get stuck in now, the full report is available here.

Dynamism in attack vs legacy exercising approaches

One of the most interesting datapoints was how incident response teams could be accused of being slow to adapt – something that could prove fatal as attackers set an unrelenting pace of change.

To understand this point, we must draw comparisons between offense and defense. On the offensive side, we have endlessly automated attacks, tens of millions of daily malware variants, and a never-ending stream of state-sponsored hackers and criminals. In 2019 alone, there were over 20,000 new vulnerabilities.

On the defensive side, our data (below) shows that large organizations typically run tabletop exercises once a year and seven percent run exercises every two years. Let’s put that into perspective: between the 2019 and 2020 exercises, nearly 50 large, publicly acknowledged data breaches occurred, draining billions of dollars from affected organizations.  

To compound this, most people run just three scenarios per exercise and, at the time of questioning, only a quarter (25%) had run an exercise in the last three months. Of those who had run exercises, only 26% said their team exceeded expectations.

It is not just the frequency of exercises that would benefit from an update. According to respondents, the techniques used for delivering scenarios also leave much to be desired considering the most common format is PowerPoint (65%). A static classroom-based approach like this will do little to engage participants and improve information retention.

Embrace contemporary doctrine to advance incident response

Modern thinking on cyber incident response points towards the need to build human muscle memory. People must be taught to think on their feet because every cyberattack is unique, and when the worst happens, adaptability is the only skill that matters. Phil Venables, CISO at Goldman Sachs, makes a strong case for that here.

To build muscle memory and human capabilities, you must instill a culture of agility in the psyche of your incident response team. Humans learn by doing and having fun, so this is best achieved using tools which are iterative and can actively engage people in the learning process. By running regular micro-drills, you can teach people to think for themselves – and that makes them more effective responders.  

The data shows that organizations have yet to turn this aspiration into adoption. Infrequent and irregular exercises cannot even begin to build muscle memory. On a similar note, hefty sessions that take months of planning and days of senior management time might bolster the famous crisis bible, but they achieve little in the way of human development.

Organizations need to adapt to stay relevant. Only with engaging, short-form exercises can teams truly learn to respond to cyber crises. Active learning is significantly more effective than sitting in a stuffy room, nibbling at PowerPoint presentations that will be forgotten by the time the red lights start blinking for real.

Share this post