Analysis of 35,000 cybersecurity team members at 400 global organizations lays bare 96-day lag in knowledge, skills and judgment after attacks are out in the wild
BOSTON, Mass. & BRISTOL, England – March 9, 2022 – Immersive Labs, the company measuring and improving human cyber capabilities with its Cyber Workforce Resilience platform, today launched the world’s first global analysis of human cyber capabilities.
The inaugural Cyber Workforce Benchmark report analyzed cyber knowledge, skills and judgment from over half a million exercises and simulations run by more than 2,100 organizations in the last 18 months. These were broken down to understand the workforce cyber capabilities of cybersecurity, application security and crisis response teams. The research found:
- Analysis of 35,000 cybersecurity team members inside 400 large organizations reveals it takes over three months (96 days) on average to develop the knowledge, skills and judgment to defend against breaking threats, except with Log4j. Infrastructure and transport are the two slowest sectors, taking an average of more than four months (137 days) to ensure skills development after a threat emerges. A long lag in human capabilities contrasts significantly with the widely accepted need for swift technical remediation. Government cybersecurity bodies, for example, suggest patching as quickly as 48 hours after a vulnerability emerges. Log4j was an exception to this rule, with cybersecurity teams developing human capabilities within just two days.
- Cybersecurity teams prioritize knowledge, skills and judgment development against high-profile threat groups. The top five groups of interest, in order, are UNC2452 (Solarwinds), Iranian Threat Groups, Fin 7, Hafnium and Darkside. Capability development is significantly more rapid with such groups. The knowledge, skills and judgment to defend against SolarWinds, for example, was built nearly eight times quicker than average.
- The frequency of organizations conducting cyber crisis exercises varies significantly across sectors. Analyzing over 6400 crisis response decisions shows that technology and financial services companies prepare the most for cyber-attacks, running nine and seven exercises per year respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year.
- Ransomware causes great uncertainty for crisis response teams. Seven out of the top 10 least confidently answered crisis scenarios across the entire platform were focused on this threat. When asked, 83% of all organizations chose not to pay the ransom; however, 18% of Government crisis response teams did, despite often being against official guidance.
- Application security teams develop human cyber capabilities faster than cybersecurity teams. Analysis of 43,000 hands-on application security exercises shows that 78% are completed faster than expected, as opposed to just 11% for cybersecurity labs. The average application security exercise is completed 2.5 minutes under the predicted complete time – but cybersecurity labs take 17 minutes longer than expected.
- The cybersecurity talent of tomorrow struggles to engage with application security. Pointing towards a potential future problem for the industry, of the 176,000 exercises completed by university students and other groups aiming for a career in cybersecurity, application security skills have the lowest engagement rate – a quarter of that of offensive cybersecurity skills. In fact, only 0.5% of all the labs completed focused on application security. With insecure software being the cause of some of the largest breaches of 2021, this highlights a burgeoning future problem for the industry.
Rebecca McKeown, Director of Human Science at Immersive Labs and ex-military psychologist, said,
“The data on the time gap between threats breaking and people having the ability to defend against them shows a need for faster time to human cyber capability for large organizations. Without this, people will potentially be making decisions founded in unhelpful biases.”
“Cybersecurity presents a unique skills development challenge for humans. Responding to a hybrid real-world and digital battlespace which is always changing means continuous skills development is crucial to preventing skills decay and building cognitive agility.”
The findings of the report support the launch of the Immersive Labs Cyber Workforce Resilience solution. Designed to allow large organizations to measure and optimize the human cyber capabilities of both technical and non-technical teams, it allows organizations to turn their workforce into strategically managed defensive controls for the first time.
“The insights produced by this report underscore the need for large organizations to have visibility of the cyber capabilities of their workforce, ” said James Hadley, CEO of Immersive Labs. “Without measuring the ability of technical and non-technical teams to mitigate risk, a critical part of resilience is missing. Gaps in cyber knowledge, skills and judgment can have the same impact as technical vulnerabilities.”
For more information on the Cyber Workforce Benchmark, visit this page.
About Immersive Labs
Immersive Labs is the world’s first solution enabling organizations to measure, map to risk, and optimize the human cyber abilities of their workforce in line with a security strategy. The award-winning platform continuously tests, analyses, and improves the capabilities of technical and non-technical teams, allowing the expertise of the whole organization to meet ever-evolving risks. This embeds a new level of resilience, unlocking the strategic value of knowledge, skills and judgment in cyber risk reduction and crisis response for the first time.
Immersive Labs is backed by Goldman Sachs Asset Management, Summit Partners, Insight Partners, Citi Ventures, and Menlo Ventures. Customers include some of the largest companies in financial services, healthcare, and government, amongst others. For more information on Immersive Labs’ offering, please visit www.immersivelabs.com.