Beyond Buzzwords: How Organizations Can Prove Real Cyber Resilience
Attackers continue to make headlines with high profile attacks. Yum! Brands – owner of fast-food restaurants like Taco Bell, KFC, and Pizza Hut – was forced to shut down almost 300 restaurants after an attack. The Royal Mail suspended overseas services after a breach compromised its international export systems. And T-Mobile announced it was breached again, this time by an attack that resulted in exposure of personal data from 37 million customers.
As threat actors increasingly target people in their efforts to breach organizations, the conversation around cyber resilience continues to gain momentum. The topic dominated the conversation at Davos, and recent research indicates nearly all executives view building resilience as high priority. This prioritization isn’t surprising considering it has become clear that solutions like SIEM, DLP, anti-phishing, and firewalls are not enough to stop attackers from infiltrating an organization. Leaders are realizing that the cyber skills, knowledge, and judgment of their employees – across the whole workforce, not just the security team – play a vital role in keeping their organization and sensitive data secure.
As organizations actively seek to increase cyber resilience across all roles, many are realizing the hard way just how difficult it is to prove their preparedness for emerging threats to senior leaders. This challenge is rooted in two distinct factors: First, it is difficult to measure humans. Second, it’s challenging to quantifiably demonstrate cyber skills improvement. While one-off training sessions and certification programs are well worn habits of the industry, those approaches don’t translate to quantifiable proof. Today’s Boards and C-level executives are looking for concrete cyber resilience evidence, not a tally of webinars watched and a list of accreditations.
Measuring People’s Skills, Knowledge, and Judgment
To truly build cyber resilience, technology alone is not the answer. Business and government leaders should focus more on the people behind the tools. Organizations need to view their employees as their strongest asset, not their weakest link. Benchmarking is a technique organizations can and should implement to help measure their people’s cyber capabilities.
Benchmarking through continuous exercising allows organizations to better compare how their team stacks up against industry best practices (such as MITRE ATT&CK, NIST and NICE frameworks), providing a unique view of existing skills gaps. From this data, CISOs and other cyber leaders gain insights to build and implement a more effective cyber resilience strategy, one that prioritizes assessing, building, and proving cyber capabilities – including fostering org-wide skills, knowledge, and judgment in response to cyber threats.
To run a successful benchmarking program, cyber leaders should start by exercising their people with real-world cyber simulations and scenarios to get a read on baseline performance. They can then compare their teams’ and individuals’ performance to industry standards to find and fill skills gaps. Leaders gain data that they can use to prove cyber resilience to Boards and senior leaders. The cycle then repeats to keep pace with an ever-evolving threat landscape.
4 Business Outcomes that Lead to Cyber Resilience
Moving past all the buzzwords and hype, to truly be cyber resilient, organizations must be able to achieve the following business outcomes:
- Continuously prove cyber capability across the organization, aligned to security frameworks – Leaders need to be able to demonstrate cyber skills strengths and weaknesses across teams throughout the organization and compared to industry benchmarks.
- Improve speed and quality of response to emerging threats – To confront new and emerging threats, teams must be able to respond rapidly and confidently aligned to industry best practices. They must be calm and in control – something that only comes from continuous exercising.
- Increase efficacy in recruitment, retention, and career development – Organizations must have the ability to attract and retain top cyber talent, as well as develop cyber champions from within.
- Reduce cloud and application vulnerabilities early and across the SDLC – As software and cloud vulnerabilities are a leading cause of breaching, organizations need to build a security culture that encourages developers to shift left to prevent insecure coding. For example, some banking institutions require their developers to prove competencies before they can code.
Based on recent attacks, security leaders are facing increasing pressure to provide concrete evidence of cyber resilience to their Boards and C-suites. Incorporating benchmarking into cyber training programs goes beyond checking the box, making cyber resilience attainable, rather than a just vague buzzword. Equipped with actionable insights leaders can invest in cyber upskilling in the right places, arming workforces with the right skills at the right time, every time.