One of the things that makes enterprise security so challenging is the fact that it is a continuously moving target. Even as security teams make ongoing improvements to their security tools and practices, new software vulnerabilities and attack techniques appear on a near-continuous basis.
Most security teams are used to living on this hamster wheel and are always looking for new ways to gain an advantage. Sometimes it’s a new security tool. Other times it is an incremental improvement to the speed of patching the software vulnerabilities that new attack techniques exploit. And over the longer term, many organizations are shifting to Zero Trust Architecture approaches that are more resilient against the unexpected.
These are all excellent practices. But they overlook one crucial question:
Are security teams developing the human capabilities they need to respond to breaking threats quickly and effectively?
We’ve conducted hundreds of thousands of exercises and simulations with organizations across a broad spectrum of industries and geographies. In the process, we’ve kept our eye out for useful insights into the overall state of cyber-resilience.
You can find our complete analysis in our Cyber Workforce Benchmark 2022.
But today, let’s use a subset of this data to assess how quickly security teams ramp up their human capabilities when new threats break – and how this compares to related activities like software patching.
How fast is fast enough?
Naturally, any organization would love to be able to protect itself against any newly discovered threat or vulnerability immediately. But realistically, even highly effective security teams will have a window of vulnerability between discovering a new threat and implementing the necessary mitigation measures.
Software vulnerability patching is a classic example of this. While most security teams would prefer to apply security patches to all vulnerable systems as soon as they are available, there is generally a lag. Even when automated patching tools are in use, patching takes time. Change management processes must be followed. Vulnerable systems may be temporarily offline and inaccessible. And not all patches are applied successfully on the first try.
Recognizing these practicalities, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations strive to patch software vulnerabilities within 15 calendar days of detection. Other national cybersecurity bodies have even more aggressive guidance. For example, the Australian Cybersecurity Centre recommends that patches be applied within 48 hours if a known exploit exists for the vulnerability in question.
In any case, accepted response time for patching of critical vulnerabilities is generally measured in days.
Where do human capabilities fit in?
While technical steps like patching are vital to risk mitigation when new threats break, human readiness also plays a pivotal role. Why? First, as noted above, there is always a window of exposure between when a vulnerability is discovered and when it can be remediated. During this window, the humans on your security team are your first and last line of defense. They also have access to mitigation measures that can reduce exposure, such as the ability to modify firewall rules or use other segmentation techniques to restrict access to vulnerable systems.
But even when most or all of your vulnerable systems are patched, human expertise about specific vulnerabilities and exploits continues to pay dividends for your organization. Many new vulnerabilities and attack techniques are derivatives of those that came before. So developing your team’s understanding of specific threats creates a broad base of security knowledge that will allow your team to spot patterns and attack characteristics more effectively in the future.
Over time, you will also develop talent capable of performing proactive threat hunting that will help you cut off possible attack vectors before threat actors can exploit them.
Human readiness lags well behind technical remediation measures
At Immersive Labs, we have a unique vantage point to see how quickly organizations are ramping up their organizational knowledge about breaking security threats. When critical threats appear in our intelligence feeds, we generally make hands-on exercises available to our customers within hours.
As we were developing our Cyber Workforce Benchmark 2022, we looked at a sample of 185 of these breaking threats and analyzed how quickly 35,000 cybersecurity professionals across 400 large organizations completed exercises on breaking threats.
Here’s what we found:
Cybersecurity teams take 96 days on average to develop the skills necessary to defend against breaking threats.
So, in contrast to vulnerability patching activities, which often have a tightly managed completion window measured in days, human capability development in response to new threats stretches out over several months on average.
Critical industries like infrastructure and transportation take over four months to respond to new threats
Human capability development response times lag even further behind the average in two critical industries: infrastructure and transportation. Transportation organizations took an average of 145 days to enable their teams to defend against emerging threats. Critical infrastructure organizations followed close behind, taking an average of 128 days. Given the societal disruption that security incidents in either of these industries would cause, we think it’s urgent to collaborate with these organizations to reduce these timelines.
While security teams should continue to focus on the technical fundamentals like patching when new threats and vulnerabilities break, most are missing out on the risk reduction benefits of ramping up human expertise at a similar pace. Organizations that focus on shortening the window between identifying a new threat and developing human capabilities through focused exercises will likely reduce their immediate risk while also developing the overall security acumen of their team in less tangible ways.
Download the complete Cyber Workforce Benchmark 2022 for our complete analysis
The topic I covered today is just one of the many insights you can find in our full Cyber Workforce Benchmark 2022 document. Download your free copy for a more complete view of the state of cyber resilience globally, along with expert perspectives from fellow security executives and capabilities development experts.