Our Cyber Workforce Benchmark brought to light some key lessons for anyone looking to improve the cybersecurity capabilities of their organization.
The data from over 300,000 simulations completed by security teams in 2,100 organizations around the world showed some interesting biases among security professionals.
We took the data about completed exercises and mapped it against the MITRE ATT&CK framework – a 12-stage matrix that divides cyberattacks into typical steps from start to finish, from initial access to final exfiltration of data.
Strong bias to defend against the first steps of an attack
We found that across all sectors, security professionals are much more interested in improving their skills on the left side of the MITRE ATT&CK framework – that is the early stages of an attack. For example, labs about how to improve skills, knowledge and judgment to counter how malicious code is run were five times more popular than labs relating to data collection or exfiltration.
We also examined the time taken to complete labs as well as abandonment rates. These showed that security professionals found the high-profile compromise and initial access skills the most difficult and time-consuming to master. Labs on the left of the matrix took twice as long as people expected and saw high abandonment rates – 44% of people did not complete Initial Access labs.
This makes sense on one level – if you can defend against the initial steps of an attack then the later stages become redundant. But it does ignore a golden rule of cybersecurity – that you must be prepared for a breach to occur and to recover afterwards. And that means developing the skills, knowledge and judgment to deal with every stage of a security incident.
Lead times to improved human capabilities
Our research also showed long lead times between vulnerabilities being reported and organizations developing the skills to defend themselves against them.
We measured the time taken by 35,000 people at 400 large organizations to develop the skills, knowledge and judgment to counter 185 cyber threats.
Government advice is normally to have defenses in place within days – in Australia, the advice is to be ready in just 48 hours. However, the average from our data was over three months – or 96 days.
The report found that critical national infrastructure providers performed the worst, taking an average of 137 days – more than four months – to be ready to counter new threats. The fastest sector to respond was entertainment and leisure with average times of 65.4 days.
Speed and skills biases
Interestingly, we did find that in some cases organizations can move at the required speed to respond. Four of the five fastest developed skills in 2021 were linked to Log4j.
The lab, which enabled people to run an OWASP dependency tool to check for the potential impact of Log4j, was completed in less than a day. Three other related labs were completed within five days.
While Log4j was undoubtedly an extremely worrying vulnerability with potentially wide-ranging impacts on systems, it was also very high profile. Our resident psychologist’s view is that this reflects the innate human impulse to take immediate action when confronted with headlines and flashing red alerts.
But this rush to action can result in poor decision-making based on assumptions influenced by previous experiences, which may prove irrelevant to a new threat. To counter this, business leaders need to develop cognitive agility – the ability to ‘think about thinking’ to remove inherent biases and remain open to new views.
There is an equal bias in favor of developing skills against the early stages of attack rather than later steps. Stopping the initial risk and ‘saving the day’ is likely to garner praise, and it matches ‘hacker culture’. But again leaders need to focus on developing team skills right across the board and measure those capabilities continuously to ensure there is a balance across the organization.
Dig deeper into the findings of the world’s first Cyber Workforce Benchmark.