After a couple of years of sophisticated and destructive cyberattacks - from Log4j and SolarWinds to Colonial Pipeline - it’s a critical time to evaluate the cyber skills, knowledge, and preparedness of your organization. There’s no use in depending on the generic incident response plans of the past. Instead, organizations now need to optimize the entire workforce for resilience. Everyone from executives to cybersecurity teams needs to have their capabilities continually updated in line with highly dynamic threats.
As the saying goes, it’s not if but when your organization will be the next target. We recently released our inaugural Cyber Workforce Benchmark Report, a global analysis of human cyber capabilities, and it highlighted some priority areas for organizations to focus on and improve. Below, I’ve outlined some concerning statistics we found. Together as security leaders, we must educate and upskill our teams about these blind spots and risks so we can better protect our organizations and sensitive IP.
- The time to develop necessary cyber skills takes months, not days. Cybersecurity teams inside large organizations take, on average, 96 days to develop the skills necessary to defend against breaking cyber threats. One particular attack took more than six months - 204 days - to master, on average.
- Critical sectors are often left exposed. Infrastructure and transport are the two slowest sectors to arm their teams with the necessary cyber skills, taking an average of more than four months (137 days). On the other hand, government organizations performed well – a key federal initiative over the past year.
- High-profile vulnerabilities see a significantly decreased time to capability. Four of the top five fastest-developed skills in 2021 came around Log4J. The increase in pervasive threats like Log4j is forcing organizations to find ways to advance human capability development, but unfortunately, a large gap still exists today.
- Application security teams develop human cyber capabilities faster than cybersecurity teams. 78% of all application security skills are developed faster than the expected completion time - as opposed to just 11% of cybersecurity labs. The average application security lab is completed 2.5 minutes under the expected complete time - whereas the average time to complete cybersecurity labs is 17 minutes over.
- Uncertainty is common when discerning how to best defend against ransomware. In a crisis scenario, 83% of participants chose not to pay the ransom. The most eager sector to pay the ransom was education, with a quarter paying up. 18% of government crisis response teams paid the ransom, despite official guidance in most countries stating not to. The education around ransomware attacks - including how to recover and move forward - is critical to prevent further destruction across industries.
While addressing these concerns will help address risk in the short term, another important topic to raise is the growing skills gap. Long-term resilience relies on having a strong pipeline of skilled individuals. We must also diversify the sources of talent we bring into the industry. This not only provides a far bigger pool to fish in - it also brings in a diversity of thought, something critical to solving the problems common in cybersecurity.
In essence, resilience is hard. The ability to stay abreast of an ever-changing threat that not only targets a broad cross-section of the workforce but also requires an understanding of highly nuanced details which change every time, is not something organizations are traditionally able to do. The first step comes in understanding the impact surface - which teams and individuals are armed with the capabilities, and which aren’t. Only by doing this, can we build collective defense in depth. Only then, can we prepare in advance and bounce back when incidents occur.
