All Blogs
Cyber Resilience
March 16, 2022

Strengthening cybersecurity teams’ capabilities: Cyber Workforce Benchmark 2022

Request Demo
Contributors
Evander Pierre
Share
colorful lights in the darklong exposure image of man walking by blue panels

Our Cyber Workforce Benchmark brought to light some key lessons for anyone looking to improve the cybersecurity capabilities of their organization.

The data from over 300,000 simulations completed by security teams in 2,100 organizations around the world showed some interesting biases among security professionals.

We took the data about completed exercises and mapped it against the MITRE ATT&CK framework – a 12-stage matrix that divides cyberattacks into typical steps from start to finish, from initial access to final exfiltration of data.

Strong bias to defend against the first steps of an attack

We found that across all sectors, security professionals are much more interested in improving their skills on the left side of the MITRE ATT&CK framework – that is the early stages of an attack. For example, labs about how to improve skills, knowledge and judgment to counter how malicious code is run were five times more popular than labs relating to data collection or exfiltration.

We also examined the time taken to complete labs as well as abandonment rates. These showed that security professionals found the high-profile compromise and initial access skills the most difficult and time-consuming to master. Labs on the left of the matrix took twice as long as people expected and saw high abandonment rates – 44% of people did not complete Initial Access labs.

This makes sense on one level – if you can defend against the initial steps of an attack then the later stages become redundant. But it does ignore a golden rule of cybersecurity – that you must be prepared for a breach to occur and to recover afterwards. And that means developing the skills, knowledge and judgment to deal with every stage of a security incident.

Lead times to improved human capabilities

Our research also showed long lead times between vulnerabilities being reported and organizations developing the skills to defend themselves against them.

We measured the time taken by 35,000 people at 400 large organizations to develop the skills, knowledge and judgment to counter 185 cyber threats.

Government advice is normally to have defenses in place within days – in Australia, the advice is to be ready in just 48 hours. However, the average from our data was over three months – or 96 days.

The report found that critical national infrastructure providers performed the worst, taking an average of 137 days – more than four months – to be ready to counter new threats. The fastest sector to respond was entertainment and leisure with average times of 65.4 days.

Speed and skills biases

Interestingly, we did find that in some cases organizations can move at the required speed to respond. Four of the five fastest developed skills in 2021 were linked to Log4j.

The lab, which enabled people to run an OWASP dependency tool to check for the potential impact of Log4j, was completed in less than a day. Three other related labs were completed within five days.

While Log4j was undoubtedly an extremely worrying vulnerability with potentially wide-ranging impacts on systems, it was also very high profile. Our resident psychologist’s view is that this reflects the innate human impulse to take immediate action when confronted with headlines and flashing red alerts.

But this rush to action can result in poor decision-making based on assumptions influenced by previous experiences, which may prove irrelevant to a new threat. To counter this, business leaders need to develop cognitive agility – the ability to ‘think about thinking’ to remove inherent biases and remain open to new views.

There is an equal bias in favor of developing skills against the early stages of attack rather than later steps. Stopping the initial risk and ‘saving the day’ is likely to garner praise, and it matches ‘hacker culture’. But again leaders need to focus on developing team skills right across the board and measure those capabilities continuously to ensure there is a balance across the organization.

Dig deeper into the findings of the world's first Cyber Workforce Benchmark.

Kev Breen

Kev Breen,
Director of Cyber Threat Research, Immersive Labs

Trusted by top companies worldwide
to enhance cybersecurity

Trusted by some of the world’s biggest brands, we’re committed to taking your cybersecurity readiness to the next level - and we’re just getting started.

What Our Customers
Are Saying About Immersive

Realistic simulation of current threats is the only way to test and improve response readiness, and to ensure that the impact of a real attack is minimized. Immersive’s innovative platform, combined with Kroll’s extensive experience, provides the closest thing to replication of a real incident — all within a safe virtual environment.

Paul Jackson
Regional Managing Director, APAC Cyber Risk, Kroll

The speed at which Immersive produces technical content is hugely impressive, and this turnaround has helped get our teams ahead of the curve, giving them hands-on experience with serious vulnerabilities, in a secure environment, as soon as they emerge.

TJ Campana
Head of Global Cybersecurity Operations, HSBC

We no longer worry about managing infrastructure, leaving us free to build great courses.

Daniel Duggan
Director, Zero-Point Security

Ready to Get Started?
Get a Live Demo.

Simply complete the form to schedule time with an expert that works best for your calendar.

Company

CommunityCareersCustomersCovenantLeadership & InvestorsCyber MillionSecurity & PrivacyLegalComplianceAccessibility StatementPrivacy NoticePressBlogContact UsWebsite Terms

Product

Immersive LabsApplication SecurityCrisis SimulationsCyber DrillsCyber Range ExercisesWorkforce ExercisesCloud SecurityFor Red TeamsFor Blue TeamsCyber RangesTeam ExercisesResourcesSupport

Be Ready