James Hadley at Immersive Labs argues that when it comes to fighting the hackers it’s time to turn the workforce into a strategic asset
For many years, the conversation around cybersecurity centred on getting the board to take the threat seriously. Today, with global security spending set to top $1.75 billion through to 2025, it’s clear business leaders are listening.
Despite the investment in security however, the number and severity of breaches has continued to climb. Impressive as it is, the predicted $1.75 billion in cyber spending will still be dwarfed by the cost of data breaches, which are expected to hit $10.5 billion annually by 2025.
The issue is not how much is being spent, but how it is being spent. Most organisations still orient their security budgets around technical solutions, investing in multiple layers of point solutions that address a single issue each. This approach is continuing to fail because it misses the big picture – security is no longer a backroom IT issue. It’s a matter for the entire organisation.
Security strategies need to reflect this if they are to have a meaningful impact on reducing risk exposure. All departments, from legal and regulatory to marketing and customer service, need to be equipped with the knowledge, skills, and judgement to do their part in protecting the business.
Businesses also need to be able to effectively measure and benchmark their workforce’s cyber skills and determine if training efforts will make a difference in a real security crisis.
So why have past approaches failed to achieve this, and how can organisations break the cycle?
Why legacy approaches to security are falling behind
The cyber threat landscape continually shifts and evolves as adversaries adopt new tactics and discover new vulnerabilities. By comparison, most traditional approaches to security are extremely static, accounting for a single moment in time and failing to keep pace as threats develop.
Many approaches, such as external auditing and certification schemes, are also highly focused on fixed assets such as technology and processes, but fail to account for the capabilities, knowledge or skills of individuals and teams.
Even when the human aspect of security is considered, solutions still tend to be very fixed. For example, staff training courses still follow a “point in time” approach that focuses on a particular threat. Such courses are slow to adapt, quickly rendering them irrelevant as the threat landscape moves on.
Further, they often take the form of an uninspiring race-to-the-finish series of exercises that participants will speed through without properly engaging.
Providing meaningful measurements of progress and the impact on risk exposure is another issue, as tests usually follow a multiple-choice structure which gauges the participant’s ability to recall facts rather than their capabilities in a crisis. Similarly, “tabletop” style exercises fail to capture the essence of a real cyber threat, so don’t accurately assess individuals’ capabilities in a crisis.
The impact of static security testing
Relying on these stagnant legacy strategies means that organisations are failing to capture an accurate, real-time view of cyber risk across their entire operation. Further, it leaves a particularly problematic gap when it comes to measuring and understanding the level of cyber expertise in the workforce.
Are staff operating with a decent level of security savvy and following best practice or are they inadvertently leaving the company exposed to a serious data breach? Is there a comparable level of cyber knowledge across the enterprise or is, say, the HR department creating an unnecessary risk while the legal team excels?
Organisations that cannot answer questions like these will be unable to make any meaningful improvement to their risk exposure and resilience. This makes it impossible to make effective strategic improvements to workforce knowledge and skills, with efforts falling to the tactical level or simply being fruitless tick-box exercises.
Attempts at improving workforce knowledge and skills will likely be inadequate and wasteful one-size-fits-all approaches that lag far behind the continually innovative threat actors.
Instead, enterprises need to take on an organisation-wide approach, with crisis exercises that cross departments to include the entire workforce. These exercises need to be purpose-built to recreate specific environments across the business if they are to effectively test resilience against emerging threats.
Understanding and improving cyber skills
Firms should be looking to take on an approach that centres on continuous measurement and improvement and optimises the impact on cyber resilience.
The first step is to effectively benchmark current knowledge, skills, and judgement. Rather than unengaging, unrealistic tests and on-paper exercises, this requires realistic simulations. Importantly, these need to be organisation-wide, cross-departmental, and purpose built to create specific environments and scenarios.
The exercise needs to go beyond the static, detached feel of a typical tabletop exercise and accurately reflect a genuine threat such as a ransomware outbreak or a malicious insider stealing classified data. Recreating the feel of an authentic cyber crisis will really battle test the participants and reveal whether they can keep their heads and apply their knowledge effectively when the pressure is on.
Advanced crisis simulations can even factor in external factors such as changes in share price and brand reputation depending on how the security incident is dealt with. Once multiple simulations have been completed, the second step is to collate the data on human capabilities and judgement and map it back to risk to create a real-time picture of exposure and cyber resilience across the entire business.
Crucially, this data needs to be granular enough to highlight the performance of individuals and teams, and their resulting impact on risk exposure. Results should also be benchmarked against industry peers to provide context on how typical the company’s performance is.
Everyone has a role to play in cyber resiliency
The final step is to implement solutions to plug any gaps exposed through the exercise. Armed with sufficiently granular data, the organisation can tailor these solutions to specific business roles and risks, as well as individual needs. This will optimise the impact of any exercises, providing much greater results than applying a clumsy blanket approach across the business.
Organisations can then focus on the different needs of business departments – HR will, for example, obviously have very different priorities to application development. It also means that executive leadership and other key decision makers that will take point in a crisis can really have their mettle tested and can undergo training and development tailored to their needs.
Businesses can go a step further by mapping their activity against specific security frameworks, which can be particularly useful when it comes to regulatory compliance. MITRE ATT&CK is a strong choice here as firms can measure their results against specific attack tactics and techniques in the framework to further highlight where they should focus.
And from here, it’s back to the beginning to establish a real-time view of the workforce’s cyber capabilities and continuously improve their contribution to the company’s resilience.
James Hadley is CEO of Immersive Labs
Main image courtesy of iStockPhoto.com