Max Vetter, VP of Cyber at Immersive Labs, on people-centric training
In an era of advanced persistent threats where the digital landscape is dynamically changing every second, the importance of cyber resilience cannot be dismissed. As cyber threats continue to evolve in complexity and sophistication, organisations must ensure that their workforce is equipped with the necessary skills and knowledge to effectively respond to these threats. Max Vetter, VP of cyber at Immersive Labs, delves into the concept of cyber workforce resilience.
What is cyber workforce resilience’? Can you shed some light on its significance in today’s rapidly evolving cyber threat landscape?
Cyber workforce resilience can be defined as the confidence to effectively prepare for, and respond to, cyber threats. It is a measure of how well an organisation can respond to and recover from cyber incidents while maintaining operational continuity. This concept is of paramount importance in today’s digital landscape, where cyber threats are not only increasing in volume but also in sophistication.
A key aspect of cyber workforce resilience is the ability to continually test, measure, and optimise the cyber knowledge, skills, and judgement of the workforce. This has to be done through a comprehensive platform that provides real-time insights into an organisation’s cyber resilience posture. By doing so, businesses can identify areas of vulnerability, address skills gaps, and ensure that their workforce is equipped with the necessary skills and knowledge to effectively respond to cyber threats. This proactive approach to cyber resilience is what enables organisations to stay one step ahead of potential threats and ensure business continuity.
What are the key components of a cyber resilience training programme that effectively prepares an organisation for potential threats?
Cyber resilience programmes should be tailored to the unique needs and threats faced by an organisation. The programme should be designed to enhance the technical skills and knowledge of the workforce. This includes understanding the latest cyber threats, the tactics, techniques, and procedures (TTPs) used by threat actors, and the appropriate defensive measures.
It’s also critical that such programmes focus on developing the judgement and decision-making skills of the workforce across teams and individuals. This is particularly important in a real-world scenario where employees may need to make quick decisions under pressure.
Security training should incorporate metrics and assessments to measure the effectiveness of the training and identify areas for improvement. Our latest research at Immersive Labs found that 46% of organisations lack the necessary metrics to demonstrate their workforce’s resilience, underlining the need for measurable outcomes in training programmes.
Lastly, the training programme should be dynamic and adaptable, mirroring the fast-paced and ever-evolving nature of cyber threats. Cyber threats today evolve more quickly than content for classroom training sessions can be developed, tested and embedded across the organisation.
How can people-centric cyber resilience strategies help organisations to identify and address the skills gap within the workforce?
Adopting a people-centric strategy can help organisations achieve a comprehensive view of its real cyber capabilities. In fact, our research found that people-centric strategies are the top strategic priority of organisations in 2023. Such strategies include improving both the security team and general workforce’s cyber resilience, integrating new solutions to reduce human risks, and upskilling teams and individuals.
However, to make such strategies effective, organisations require a robust set of metrics to measure and benchmark their current human-cyber capabilities. Our study revealed that although organisations are currently using a variety of methods to measure cyber capabilities, many of these methods are haphazard and lack a comprehensive approach.
Response times to historical cyber threats are one of the most common metrics used, but they only provide an approximate assessment of future cyber capabilities. Other organisations use testing methods, such as phishing simulation tests, but these only provide insight into how an individual responds to a single type of cyber threat.
Some organisations use the NIST Cybersecurity Framework, which offers standards, guidelines and practices for managing and reducing cybersecurity risk. However, the use of the framework requires a tailored approach by each organisation and does not offer a certification program or endorsement of implementation.
Only a small percentage of organisations use robust cybersecurity metrics, such as response times to addressing vulnerabilities, tracking intrusion rates, rate of internal data loss, and incidence rates of various threat types. These metrics can provide valuable insights into how the organisation deals with cybersecurity threats and incidents.
Given the fast-paced nature of cyber threats, how can we ensure that our cyber resilience training remains relevant, effective and agile?
Maintaining cyber resilience in the face of rapidly evolving cyber threats requires a shift in traditional training paradigms. In fact, 37% of organisations today run classroom training sessions on cyber threats that were active three months ago, which is reactionary and ineffective.
To address this, organisations need to find an approach to developing cyber resilience that aligns with the speed of cyber threats. This involves regularly updating training content to reflect the latest threats and vulnerabilities, and delivering this content in a manner that allows for immediate application. This could be through interactive, scenario-based training exercises that simulate real-world cyber threats, enabling employees to apply their knowledge and skills in a practical context.
At the same time, training programmes should be designed to foster a culture of cyber resilience within the organisation. This involves promoting open communication about security, encouraging all employees to take responsibility for cybersecurity, and fostering a security-first mindset.
Businesses should also leverage advanced solutions to enhance the effectiveness of training. This means investing in tools that can provide real-time insights into an organisation’s cyber resilience posture, identify areas of vulnerability, and track improvements over time. In addition, there should be a greater emphasis on cyber resilience at a board level. Everything should be placed in the context of cyber resilience, rather than just focusing on the status of piecemeal inputs such as deploying new cybersecurity solutions.These measures can go a long way in helping businesses achieve robust resilience in this dynamic threat landscape, and adopt a continuous, comprehensive and effective approach to training that is aligned with the speed and nature of cyber threats.