A new Osterman Research report, commissioned by Immersive Labs and released on May 17th, highlighted organizations’ lack of confidence in their cyber security resilience strategy.
Study finds that 52% of organizations report a lack of effective training for resilience.
The 2023 Cyber Workforce Resilience Trend Report explains that “while 86% of organizations have a cyber resilience program, more than half (52%) of respondents say their organization lacks a comprehensive approach to assessing cyber resilience.” Cyber resilience is at the top of strategic planning and spending in 2023, but the report notes that many organizations’ resilience programs are falling short of the mark.
All star cyber security professionals are increasingly hard to hire.
10% of the responses cited from the organizations in the study list hiring more cyber security professionals who have a higher baseline of training and competence as a factor in their cyber resiliency plans. As Rick Howard (N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow) pointed out, this has been a problem for years, and the industry can’t seem to figure it out. “In 2022, the International Information System Security Certification Consortium (ISC Squared) said that the global cybersecurity workforce gap was 3.4 million people. That's over 116 times the number calculated by CSIS a decade ago. Clearly we have a problem finding qualified people, and it's not like we haven't tried to fix the problem.” He adds “When we hire, we're looking for the all star -- somebody with 25 years experience, a technician with 17 certifications, and an employee willing to work for a buck fifty an hour. No wonder we can't find anybody.”
Industry certifications are behind the pace of emerging threats.
One important issue the report raises is reliance on ad hoc training and industry certifications in their training programs. While industry certifications are a valuable way to maintain standards and can be useful in the hiring process, the report finds that they lack effectiveness in actually helping organizations mitigate threats. “Given the high emphasis placed on industry certifications (96%), it is alarming that only 32% of respondents rate industry certifications as “very effective” at helping technical teams to achieve the outcome of mitigating new and/or emerging cyberthreats,” the report says. A significant problem the study outlines is that cyber security certifications are constantly out-paced by real-world cyber events.
The report finds that internet forums or communities are the most common method used to discover emerging threats and vulnerabilities. The second most used method, Industry conferences, can lag emerging threats. (Most conferences are held annually, and this tends to render them retrospective as opposed to predictive.) “Talks that are approved for presentation months before the event is held will be outdated by the time the conference finally rolls around.” writes Immersive Labs. The traditional methods of keeping professionals up-to-speed on current events are, oftentimes, out of date and expensive. This raises the question, is it worth it to send an individual to events and their associated training when what’s needed is preparation to deal with emerging threats.
Individual training has been tried. Maybe team training is worth a shot.
Training seemed to be the most cited (21%) action in organizations’ resiliency plans. James Hadley, CEO and Founder of Immersive Labs, writes, “Any legacy cyber training approach that cannot deliver continuous exercising is not fit for purpose given the realities of today’s evolving cyberthreats,... As organizations work to strengthen their cyber resilience agenda, they should focus on continuous assessment and building cyber skills and proving stronger outcomes. We need a renewed focus on better cybersecurity capability solutions and cultivating a workforce with the expertise to handle the real-world impact demands of new and emerging threats.” The researchers add, “The learning interests of the individual rise above what the organization needs to know about the cybersecurity team. The approaches do not offer a structured mechanism for engaging the cybersecurity team as a whole, and therefore the organization has no way of assessing and improving how the cybersecurity team works together during an incident.”
Howard’s take is that these organizations are focusing too much on individual training instead of team training to build the workforce as a whole. “When the organization trains its own people, leadership is generally all for it, but we send the individual. We pay upwards of $3,000 for an employee to attend a class or a conference to get up to speed on some new thing. Most times we ask the individual what he or she wants to learn, not as a training task but as a perk for being part of the organization. We don't really have a team training strategy at all. With these tactics, we struggle to bring on talent with the skills we actually need and we are surprised when the training impacts one employee, not the overall organization.” Howard emphasizes that before training your team, you have to first know their strengths and weaknesses. Before spending thousands of dollars, employers should look at programs that give them the best return on investment. Should you send an over-achieving person to learn a skill set and become more marketable, or should you send your whole team to a class (or perhaps an exercise) and bring your overall resilience up?