“There are many companies reporting to the board of directors without sufficient resilience metrics,” Osterman Research

A recent survey found that most companies have cybersecurity resiliency programs, but a comprehensive approach to assessing resiliency is still lacking.

The study, commissioned by market research firm Osterman Research and commissioned by cybersecurity training firm Immersive Labs, surveyed 570 senior security and risk managers at companies in the US, UK and Germany with more than 1,000 employees. It was conducted on a sample of 100 respondents.
ⓒ Getty Images Bank

“The rules of engagement for cyberthreat actors are constantly evolving, creating catastrophic and unavoidable situations,” said Michael Sampson, an analyst at Osterman Research, who conducted the investigation and wrote the report. Most enterprises want cybersecurity resiliency, but the practice of building, testing and improving resiliency is still immature,” he wrote.

“Pattern Only Elasticity Program”

The survey found that 86% of respondents said their organization had a cybersecurity resiliency program in place. However, more than half (52%) of respondents said that a comprehensive approach to assessing resilience was lacking.

Cybersecurity resiliency programs consist of a combination of resiliency strategies, plans and/or infrastructure, most of which (51%) are managed internally by the company. 35% of companies outsource to third parties, such as consulting firms.

Nearly half of respondents (46%) do not identify an adequate indicator of workforce resilience to cyberattacks. Only 6% of companies utilize information metrics such as response time, intrusion rate, internal data loss, and incident rates for different data types.

“I’m frustrated by the lack of metrics companies use to evaluate their cybersecurity capabilities and resiliency,” Sampson said. Most of them rely on evaluation frameworks that use indicators, tests and metrics that are not related to resilience,” he notes.

In contrast, over the past six months, 46% of boards have asked their security teams to demonstrate their organization’s cybersecurity resilience.

“It was also surprising to see a company reporting cyber resilience to its board of directors several times a year, even though there is no standard for measuring resiliency,” Sampson said. I don’t know what to say in the absence of proper evaluation metrics, but the chaos in reality will be bad news for all involved. It would be nice if the board requested evidence and dig deeper into the results of the resilience assessment.”

“External threat, insufficient education concerned”

Cybersecurity threats and their ramifications are a major reason for introducing resiliency programs. 63% of respondents said they were concerned about ransomware, while 51% and 48% of respondents were concerned about supply chain and code exploit attacks, respectively.

“The chaotic nature of key business concerns, such as ransomware, supply chain and third-party attacks, and coding vulnerabilities, make resilience more difficult,” Sampson said. This type of attack is dynamic, chaotic, and often out of corporate control.”

Distrust of security credentials was also a major concern. Nearly all respondents (96%) encourage certifications, but only 32% of organizations say such certifications are effective in mitigating cyber threats. Additionally, only 48% of companies are looking for cybersecurity certifications in the hiring process, even though 96% of companies encourage their IT and cybersecurity teams to obtain certifications.

The frequency of security training was also not sufficient to effectively address cybersecurity threats. Only about 27% of respondents said they receive cybersecurity training every month.

“Certifications and training play an important role in developing competencies, but they don’t tell you how to apply them in real-life events and relationships with teammates,” Sampson points out. Despite years of security awareness training and phishing testing, nearly half of respondents (46%) said they would be unsure about how to handle phishing emails from their employees.

According to Sampson, the time it takes to develop credential training content, individuals to learn and assess competency cannot keep up with the rapidly changing threat landscape. In other words, individuals are always behind the times when it comes to addressing current cyber threats.

Osterman Research believes that in order for organizations to effectively respond to emerging cybersecurity threats and the rapidly changing security landscape, it is a priority to more actively assess and address resilience levels and skills gaps while developing skills, knowledge and judgment across the workforce. It was emphasized that it should be ranked.
[email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!