The Problem of Cyber Pro Complacency and other Findings from our 2023 Cyber Workforce Benchmark Report

In the face of an ever-adapting digital landscape, organizations have witnessed year-over-year increases in some facets of cyber resilience. Notably, those who conduct regular cybersecurity exercising against emerging threats tend to perform better, than those who exercise their people more sporadically. This is heartening given the advent of new threats such as those posed by Generative AI.

Seasoned experts often display a surprising degree of complacency in their skills compared to their junior counterparts. This insight underscores the dynamic nature of the cyber landscape and underscores the importance of ensuring cyber professionals at all levels of experience are keeping up with the latest threats.

Organizations have made significant strides in their response times to emerging threats. The median response time has witnessed a notable reduction, reflecting an increased agility and a deeper knowledge in addressing newly discovered vulnerabilities. Incidents like the Log4j crisis have played a pivotal role in catalyzing this progress, underscoring the indispensable role of real-world events in shaping cybersecurity priorities.

While regulated industries may appear poised to outperform their less-regulated counterparts, the reality paints a more nuanced picture. Despite a marginal 6% difference in key resilience metrics, the advantage of regulations does not inherently translate into substantial preparedness. The exceptional performance of certain Financial Services firms within regulated industries emphasizes the significance of cultivating a robust cybersecurity culture from within. This serves as a poignant reminder that consistent team and individual exercises are essential across industries to ensure effective cyber defense.

Amid the growing awareness and commitment to cyber resilience, organizations confront a critical blind spot: the readiness of their workforces for post-incident responses. While progress has been made in aligning cyber resilience activities with frameworks like MITRE ATT&CK®, a notable bias towards the initial stages of the attack lifecycle persists. This revelation underscores the need for a comprehensive approach that encompasses both prevention and response to achieve effective risk reduction.

Our 2023 Cyber Workforce Benchmark Report reveals the real progress, challenges, and the ongoing journey cyber leaders face on the road towards comprehensive resilience.

To increase your cyber resilience today, here is a checklist of 5 items supported by this year’s report:

1. Make cybersecurity a strategic Board and C-level priority: Making cyber a strategic priority means recognizing its importance and integrating it into the highest levels of the decision-making processes across an organization, including at the Board and C-level.
2. Build a rock-solid cybersecurity culture across the workforce:
3. Beware cybersecurity overconfidence or complacency: Seniority doesn’t necessarily mean readiness for threats. To stay current with emerging threats, staff of all experience levels need to continue their skills development so they have the knowledge and judgment to effectively respond to threats.
4. Don’t be sporadic. Continuously exercise and prove capabilities: One-off cyber skilling “fire drills” won’t do. Leaders need to regularly and consistently conduct cybersecurity exercises to assess skills gaps and fill them before it’s too late.
5. Ensure preparedness for both before, and after, an incident: Ensuring coverage across all of MITRE ATT&CK framework means establishing workforce preparedness for before and after the boom to avoid weaknesses in any particular area.

To learn more about these and other findings, download the 2023 Cyber Workforce Benchmark Report now.