Financial news

By Max Vetter

Cybersecurity continues to be a crucial area of business investment. Even in these uncertain economic times, worldwide spending on security solutions is predicted to hit $219 billion this year by the Worldwide Security Spending Guide from International Data Corporation (IDC).

Yet many organisations are uncertain if their increased spending is really resulting in improved cyber resilience.

We ask Max Vetter, VP of Cyber at Immersive Labs, how businesses can ensure their security investments are really paying off. 

Why do so many businesses find it difficult to measure their cyber resilience?

I find enterprises commonly get overly focused on staking out their cyber budgets but fail to follow up with effective processes for measuring and tracking their progress. Firms will often pursue the latest developments in security solutions and services, others will focus on ticking the boxes of regulations or certifications. 

While these latter approaches can boost resilience, businesses have no way of knowing if they aren’t properly measuring the impact. In a recent study, we found that almost half (46%) of security and risk leaders had no metrics for their workforce’s resilience. Often when firms do attempt to put metrics in place, they are based on unreliable indicators like historical attack response times. 

The result of adopting such approaches is a lot of organisations spending a great deal of money on cyber, ticking the right boxes on certification, and assuming they must be secure as a result. But in many cases this confidence is dangerously misplaced. 

How can businesses start tracking their resilience? What do you recommend as a focus? 

I believe the organisation’s workforce is the real key to cyber resilience. It doesn’t matter how much you spend on the latest technology, if your people aren’t secure, your business won’t be either. 

This applies to both security personnel and the wider workforce. Your security team must obviously be armed with the right training and experience to tackle incoming threats, but your non-technical staff also have important roles to play in keeping your business secure.

Senior executives need to be hyper vigilant in the midst of an urgent crisis such as a serious ransomware attack or data breach. Further, anyone with any level of access to the corporate network is a viable target for threat actors looking for a way in. Ensuring the workforce is able to identify and correctly respond to common threats like phishing can make all the difference in preventing an attack.

Aren’t most businesses already carrying out awareness training?

It’s true that most organisations are aware that their workforce is a key part of their security. However, current approaches to raising awareness usually fall short of the mark.  

Security training is usually delivered through a classroom approach for the general workforce, but such sessions are rarely engaging enough to spark real behavioural change. Furthermore, they tend to be very infrequent, an annual event to tick off the compliance list. 

We usually see leadership roles being given more engaging opportunities through tabletop exercises, but these rarely capture the feel of a genuine event and so do little to test the mettle of participants. 

In both cases there is generally little in the way of benchmarking or follow up to measure and test the skills and knowledge gained. 

Security professionals will naturally receive a more concentrated approach since this is their main skillset, but even here the approach often fails to keep up with the break-neck pace of cyber threats. Teams will often be learning through ad-hoc sessions based on previous threats, and we estimate this can leave them roughly three months behind the current trends. 

So how should organisations tackle cyber skills? 

A continuous approach is the key to improving human cyber capabilities, and, ultimately, security resilience.

A sporadic, classroom-based approach tends to reduce cyber skill building to an annual calendar note – and one that no one looks forward to. Instead, it needs to be high on the agenda throughout the year. 

More than being frequent, it also needs to be engaging for the participants. One of the best ways to achieve this is with the use of simulation exercises. These realistically recreate the experience of a genuine cyber attack to test the participants’ ability to handle a crisis as well as retain knowledge. 

While simulations are a powerful way of getting the workforce to sit up and pay attention to cyber, they are also useful for security professionals. There can be a world of difference between theoretically being able to tackle an urgent threat like a Log4Shell attack, and actually doing it under pressure. 

How can businesses be sure they are making progress? 

Implementing regular, engaging skills development is only half the battle. Once a scheme is in place, it is essential to properly track and monitor it. Just like any other business activity, there must be an agreed set of metrics to measure success, and action taken to improve any shortfall. Organisations can benchmark their performance against industry standards to more accurately gauge their standing. 

A well-run simulation campaign can provide highly granular data, from individuals to teams to whole departments. If there are any issues or areas for improvement, this makes it far easier to create a bespoke development plan rather than relying on a blanket approach that might not address it.

With a continuous approach to development and improvement, businesses can be certain that their cyber spending is making a tangible difference to their cyber resilience. 

Rather than placing their confidence in a high security budget or regulatory checklist, they can be sure their workforce is ready to jump into action when an inevitable cyber crisis rears its head.

About the Author

Max Vetter, VP of Cyber at Immersive Labs, has over 20 years of experience in the cyber industry and the public and private sector in a range of online threats including hacking and cyber-stalking. He has expertise in ethical hacking, open-source intelligence and internet investigations specialising in darknets and cryptocurrencies.