Can you really evidence human cyber readiness?
One of the biggest problems in cybersecurity today is measuring and evidencing capability. But the challenge for security leaders isn’t understanding the capabilities of technology; it’s measuring the impact of people. That’s because most organizations will fall into a trap of judging their employees on the certificates they hold rather than the practical experience they’ve…
One of the biggest problems in cybersecurity today is measuring and evidencing capability. But the challenge for security leaders isn’t understanding the capabilities of technology; it’s measuring the impact of people. That's because most organizations will fall into a trap of judging their employees on the certificates they hold rather than the practical experience they’ve acquired.
But in our rapidly moving industry complacent defenders lose ground fast, which is why you need personnel with demonstrable skill sets – not two-year-old bits of paper.
From the creation of antivirus in the 70s to the dawn of software that protects cloud-based operations, industry certifications were a largely adequate way of measuring skills, proving the holder could use the tools required to protect specific technologies. But not any longer. Organizations now need to detect and react to security incidents, so evidencing must be constant.
Why insufficient evidencing is a security risk
Security leaders are struggling to identify their team’s strengths and weaknesses, with half of all CEOs unsure that their organization could respond to a hacking incident or data breach. This lack of visibility is unacceptable. As a security event moves from the detect to the response phase, people – and more specifically their skills and psyche – become your greatest asset. Almost everything post-compromise (or ‘right of boom’) is handled by your people. If their effectiveness and skills are not continuously being evidenced, you cannot gauge their preparedness. And this ultimately creates risk.
A lack of evidencing is especially troubling for CISOs who work in large enterprises, where they must measure capability at speed. However, all businesses now need the ability to visualize and evidence human cyber capability.
Evidencing must be continuous
Evidencing is a snapshot of your cyber capability on any given day – nothing more. Your coverage changes whenever new techniques and risks emerge, so you must continuously monitor your team and ensure they stand prepared for the latest threats. But without continuous data-led evidencing, you cannot prove that spending on human capability will improve your organization’s security posture. This means your board will lack confidence and be unlikely to invest.
This is precisely where classroom training falls short. The material taught is prepared weeks (or even months) in advance, which means by the time it reaches the learner, it is already old news – a security fossil. And at the end of the course, the learning literally stops. Leaving you with what? A certificate that confirms your team has theoretically covered a handful of outdated techniques.
Cybersecurity is a fluid industry, and it is never game over when it comes to skills development. There is always an emerging technique to learn, an innovative way of working to adapt, or a new attack to defend against. Your team’s capability must therefore be evidenced constantly.
Immersive Labs continuously evidences human cyber readiness
When an organization faces an incident and the pressure is on, nobody will run to their desk, pull out a certificate and say, "don’t worry guys, I’ve got this!". Cyberattacks don’t happen on paper. You need people who can call on an actual experience that led to them acquiring a skill – a skill that has been evidenced and that can be used in the event to minimize damage. Formula 1 is a great example of this kind of learning: at maximum speed, the drivers manage to press the right buttons on the steering wheel to increase performance on the fly. It’s hugely impressive, but the only reason they are able to respond appropriately – especially when something goes wrong – is that they’ve evidenced their capability when thrown those challenges in highly realistic simulations.
Immersive Labs is exercise-driven and evidences cyber capability in two ways: tracking and scoring. The tracking element allows you to monitor human coverage to mitigate threats in real time. The scoring element enables you to measure human preparedness including in wider risk management efforts.
Here’s how we evidence individual and organizational capability
Our cloud-based cyber readiness platform not only delivers metrics on usage but also aligns skills to business risk. Using integrated frameworks such as MITRE ATT&CK, organizations can visualize their most pressing risks alongside the skill levels of their relevant people. The matrix shows where your people have evidenced skills in our labs relevant to the techniques in ATT&CK.
Immersive Labs' MITRE ATT&CK framework mapping tool
Our Cyber Capability Score is a workforce-wide assessment metric woven into the fabric of our platform. This innovation harnesses the data you need to visualize the cyber strengths and weaknesses in your teams at a glance, which means your skills development strategy can be more targeted than ever. The Cyber Capability Score doesn’t just analyze skills in your business though; it also compares them with the skills present in other businesses, benchmarking what ‘good’ looks like in your industry and globally. And the best part is, this all happens in real time.
Immersive Labs’ Cyber Capability Score
Using Immersive Labs, security managers can define the best measures to demonstrate human cyber readiness in their own organization. At an individual level, managers can define objectives that map specifically to frameworks such as NIST NICE. Our experts have aligned many of our labs to this framework, which ensures our users are developing skills relevant to real security teams today. We have also created pre-defined objectives that map to the framework, supporting structured learning for different users or teams. These define a clear path towards specific technical roles, such as Vulnerability Assessment Analyst.
But evidencing isn’t the end…
We cannot stress this enough: cybersecurity is never game over. To maintain a solid security posture your business must evidence strengths and weaknesses, but it must also keep equipping employees with the latest skills and then allowing them to exercise. This is how you will truly prepare your business for cyberattack.
22 June 2020
Latest Blog posts
Wicked problems: navigating crises when there’s no clear path
1 April 2021
Play along with our new crisis scenario – Insider Threat: Pharma Drama!
31 March 2021
The People of InfoSec on the People of InfoSec: The Thought Leader’s View
31 March 2021