Cyber-resilience has become a top priority for global organizations, but over half (52%) of those with programs are struggling because they lack a comprehensive assessment approach, according to Osterman Research.
Sponsored by Immersive Labs, the analyst’s Cyber Workforce Resilience Trend Report was compiled from interviews with 570 respondents in senior security and risk roles in the US, the UK and Germany.
Cyber-resilience places a strong focus on the ability of organizations to “anticipate, withstand, recover from, and adapt” to cyber-attacks and incidents, according to NIST.
Read more on cyber-resilience: Six Ways to Improve Your Cyber-Resilience to Combat Cyber-Attacks.
Faced with concerns over ransomware, supply chain risks and vulnerabilities, 86% of respondents said they have a cyber-resilience program in place.
However, more than half are flying blind because they have no accurate way of measuring the effectiveness of these initiatives. Just 6% of respondents said they are using informative metrics to track things like vulnerabilities, intrusion rates, internal data loss and threat types.
The report also found other challenges including:
- Most pathways to learning about the latest vulnerabilities are ad hoc and reactive, limiting the value of security professionals
- Classroom-based training cannot keep pace with the threat landscape
- Industry certificates for IT and security pros are inadequate to address emerging threats
- Boards are failing to engage. A request for the security team to prove corporate cyber-resilience was made at less than half (46%) of responding organizations
Anxiety about the preparedness of regular employees is particularly high. Over half (53%) of respondents said their workforce is not well-prepared for the next cyber-attack, and 46% claimed their employees would not know what to do if they received a phishing email, despite years of training and phishing tests.
“To prepare for future threats, organizations urgently need to implement ways to better evaluate current resilience levels and fill cyber-skills gaps,” the report concluded.
“In driving the cyber-resilience agenda, a comprehensive approach that assesses competence, builds team-level skills, and highlights gaps is essential. Legacy approaches that don’t move at the speed of cyber and that rely on historical threat data can never provide what organizations need to address new and emerging threats.”