The future of cyber defense is in the hands of entire workforces

Cyber threats are no longer confined to Hollywood movies and dark basement flats.

Nations engage in cyberwarfare and hackers target global organizations, putting critical infrastructure everywhere at risk. The threat landscape, in short, has evolved.

It’s not just an increase in the number of threats – that much goes without saying. The real concern is the variety of attack methods, which is being driven by digital transformation around the world. As businesses look to secure everything from their CEO’s inbox and customer data to their application code, the attack surface is ever widening.

Technological measures are necessary to respond to such numerous attack vectors effectively, but they are by no means a panacea. Every employee – technical or otherwise – should possess some level of cyber awareness, while security professionals require the right tools to upskill at the right time. To achieve this, businesses must build a security culture from the ground up.

We are currently in the midst of a digital arms race, and it’s a race that the attackers are winning. Their vast community builds its own advantages through the way its components work cohesively. This means that in every element of a successful attack, there are specialists who can rapidly add new technology and techniques to maximize the damage.

Defenders can’t build their security in the same way. This is partly because they’re segregated in company silos, and partly because they struggle to upskill on attacker innovations. The good guys need to be armed just as quickly, and this is where we must learn from the opposition. But until we replace stale classroom training with interactive, engaging and on-demand cyber skills content, we will not catch up.

In the current threat landscape, effective defense relies on key elements that aren’t part of a traditional cybersecurity strategy. Firstly, every employee must understand that they have a part to play in protecting their business from attack. Cybersecurity is no longer something handled by a select few while the majority remain ignorant; it is everyone’s problem, and because of this, cyber skills initiatives should engage and inspire every part of an organization. Gamified software is an excellent place to start.

Secondly, the effectiveness of these efforts must be measured and tracked against emerging threats. This will give boards visibility around not only the capabilities of their technology and process, but also their people. The best way for an organization to monitor its specific security strengths and weaknesses is to employ a solution that maps its content to industry frameworks, such as MITRE ATT&CK™.

The sheer volume of emerging threats challenges vendors to help organizations focus on relevant risk as much as possible. The only way that companies full of security experts can really help is to give businesses solutions that align to the real risks they’ve prioritized. Security leaders are always looking for ways to measure and visualize the effectiveness of security, so metrics that are understandable at board level are essential. Only when companies begin to promote good cybersecurity hygiene across the entire workforce will the rate of successful attacks slow.