Can you really evidence human cyber readiness?

One of the biggest problems in cybersecurity today is measuring and evidencing capability. But the challenge for security leaders isn’t so much in understanding the capabilities of technology. It’s measuring the impact of people. Many organizations will fall into a trap of judging their employees on the certificates they hold rather than the hands-on experience…

One of the biggest problems in cybersecurity today is measuring and evidencing capability. But the challenge for security leaders isn’t so much in understanding the capabilities of technology. It’s measuring the impact of people. Many organizations will fall into a trap of judging their employees on the certificates they hold rather than the hands-on experience they’ve acquired.

But in our rapidly moving industry, complacent defenders lose ground fast, which is why you need security personnel with demonstrable skill sets – not 2-year-old old bits of paper.

From the creation of antivirus in the 1970s to the dawn of software that protects cloud-based operations, industry certifications were largely an adequate way of measuring skills, proving the holder could use the tools required to protect specific technologies. But not any longer. Organizations now need to proactively detect and react to security incidents, meaning evidencing must be constant.

Why insufficient evidencing is a security risk

Security leaders are struggling to identify their team’s strengths and weaknesses, with half of all CEOs unsure that their organization could respond to a hacking incident or data breach. This lack of visibility is unacceptable. As a security event moves from the detect to the response phase, people – and more specifically their skills and psyche – become your greatest asset. Almost everything post-compromise (or ‘right of boom’) is handled by your people, so if their effectiveness and skills are not continuously being evidenced, you cannot gauge their preparedness. And this ultimately creates a risk.

A lack of evidencing is especially troubling for CISOs who work in large enterprises or are joining new companies, where they must measure their team’s capability at speed. Every organization now needs to visualize and evidence its human cyber capability.

Evidencing must be continuous

Evidencing is a snapshot of your cyber capability on any given day – nothing more. Your coverage changes whenever new techniques and risks emerge, so you must continuously monitor your team, ensuring they stand prepared for the latest threats. But without continuous data-led evidencing, you cannot prove that spending on human capability will improve your organization’s security posture. This means your board will lack confidence and be unlikely to invest.

This is precisely where classroom training falls short. The material taught is prepared weeks (or even months) in advance, which means by the time it reaches the learner, it is already old news – a security fossil. And at the end of the course, the learning literally stops. Leaving you with what? A certificate that confirms your team has theoretically covered a handful of outdated techniques.

Cybersecurity is a fluid industry, and it is never game over when it comes to skills development. There is always an emerging technique to learn, an innovative way of working to adapt, or a new attack to defend against. Your team’s capability must therefore be evidenced constantly.

Immersive Labs continuously evidences human cyber readiness

When an organization faces an incident and the pressure is on, nobody will run to their desk, pull out a certificate and say, ‘don’t worry guys, I’ve got this!’. Cyberattacks don’t happen on paper. You need people who can call on an actual experience that led to them acquiring a skill – a skill that has been evidenced and that can be used in the event to minimize damage. Formula 1 is a great example of this kind of learning: at maximum speed, while pushing the absolute limit, the drivers find a way to press the right combination of buttons on the steering wheel to increase performance on the fly. It’s hugely impressive, but the only reason they are able to respond appropriately – especially when something goes wrong – is that they’ve evidenced their capability when thrown those challenges in highly realistic simulations.

Immersive Labs is exercise-driven and evidences cyber capability in two ways: tracking and scoring. The tracking element allows you to monitor human coverage to mitigate threats in real time. The scoring element enables you to measure human preparedness including in wider risk management efforts.

Here’s how we evidence individual and organizational capability

Our cloud-based cyber readiness platform not only delivers metrics on usage but also aligns skills to business risk. Using integrated frameworks such as MITRE ATT&CK, organizations can visualize their most pressing risks alongside the skill levels of their relevant people. The matrix shows where your people have evidenced skills in our labs relevant to the techniques in ATT&CK.

Immersive Labs' MITRE ATT&CK framework mapping tool

Our Cyber Capability Score is a workforce-wide assessment metric woven into the fabric of our platform. This innovation harnesses the data you need to visualize the cyber strengths and weaknesses in your teams at a glance, which means your skills development strategy can be more targeted than ever. The Cyber Capability Score doesn’t just analyze skills in your business though; it also compares them with the skills present in other businesses, benchmarking what ‘good’ looks like in your industry and globally. And the best part is, this all happens in real time.

Immersive Labs’ Cyber Capability Score

Using Immersive Labs, security managers can define the best measures to demonstrate human cyber readiness in their own organization. At an individual level, managers can define objectives that map specifically to frameworks such as NIST NICE. Our experts have aligned many of our labs to this framework, which ensures those using our platform are developing skills relevant to real security teams today. Our experts have also created pre-defined objectives that map to the framework, supporting structured learning for different users or teams. These define a clear path towards specific technical roles, such as Vulnerability Assessment Analyst.

But evidencing isn’t the end…

We cannot stress this enough: cybersecurity is never game over. To maintain a solid security posture  your business must evidence strengths and weaknesses, yes, but it must also continue equipping employees with the latest cyber skills and then allowing them to exercise. This is how you will truly prepare your business for when an attack happens.

TOPICS
Blog
Evidencing
PUBLISHED

22 June 2020

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal