Benchmarking is the missing link to cyber resilience

The magnitude of recent tech layoffs and budget cuts have hit business leaders hard. In addition to the human and business impacts, there are security ramifications as well, from disgruntled employees to understaffed cybersecurity teams. Couple these risks with cyber insurance agencies pulling back coverage, and organizations are faced with ever-increasing risks, with no end in sight. The only way to mitigate risk depends not only on employees being ready, but being able to prove that they’re ready.

This year, many security leaders will be expected to provide concrete evidence to their boards, customers and regulators that their security teams are truly prepared for potential cyber crises. This competency will be particularly important once the proposed SEC’s cybersecurity incident disclosure rules are implemented.

Despite the demand for quantifiable evidence of cyber preparation, many of the world’s largest organizations don’t have the ability to determine individual and team capability. Without proper comparisons, it is impossible to know “what good looks like.” This lack of evidence results in organizations increasing cybersecurity spend without insight into whether technology and training investments are worth the price.

For an organization to achieve true cyber resilience, an understanding of skill level must be gained through benchmarking. This practice enables contextual measurement of team cyber skills and capability, offering visibility into strengths and weaknesses. Armed with data-driven insights, organizations can fill knowledge gaps and definitively prove cyber capability across the organization.

Benchmarking also enables visibility into industry-specific cybersecurity ability. Armed with peer-to-peer performance metrics, leaders can make strategic investment decisions.

For example, a major U.S. bank would want to know:

How prepared am I for a cyberattack compared to my industry peers? What are my team’s strengths and weaknesses?
How do my people perform during crisis exercises?
Are skill performances changing over a six-month period?

By implementing targeted benchmarking, security leaders can gain data-driven answers to these questions and focus on filling gaps. Since benchmarking is ongoing, the assessment process can be repeated regularly, delivering real-time insight into workforce cyber resilience.

Traditional cybersecurity training methods and certifications prioritize session completion over outcomes and don’t reflect adult learning patterns. When it comes to problem-solving and decision-making, capabilities degrade quickly. Maintaining competence in cybersecurity skills requires a regular exercising cadence, which is why annual crisis training is not enough to build lasting resilience.

Additionally, traditional training cannot be benchmarked, as the practice relies solely on a ticked-box mentality. To successfully benchmark cyber capability, organizations must reduce reliance on industry certifications, replacing traditional training methods with a focus on measurable, real-world skills. As the threat landscape accelerates, organizations must focus on building and upskilling human cyber capabilities.

Since cyberattacks are a matter of when, not if, continuous real-world organizational exercising is crucial, as it allows them to assess, build and prove cyber resilience against a variety of threats. Continuous exercising shouldn’t be limited to any single group, team or individual. Security leaders need to apply continuous exercising across the entire organization. This includes crisis training for the board, C-level and management; technical training for security implementers and application developers and tailored hands-on labs for all levels of stakeholders. Individuals and teams improve by doing, not watching. By safely exposing the entire organization to realistic cyber scenarios, they can be better prepared to act in concert against potential real-world crises.

To ensure engagement, exercises must be dynamic, with decisions resulting in differing outcomes. The more teams practice, the better their ability to predict the next issue. Through ongoing exercising, team ability to make decisions and respond will improve, ultimately building the people-centric resilience organizations need.

This approach to exercising also builds the cognitive agility needed to respond to unexpected threats. One byproduct of regular exercising is that teams are constantly “battle-tested” — seeking to not only succeed in attack prevention, but also to improve their offense in terms of proactivity and checking for vulnerabilities.

Benchmarking enables CISOs to develop a more targeted cyber resilience strategy. By measuring cyber defense and crisis management capabilities compared to industry benchmarks with data-backed evidence, security leaders are able to more effectively reduce risk and enable compliance across the organization.

The quantitative data gleaned from continuous exercising is not only necessary for reporting, but it also provides a definitive answer to the question on every security leader’s mind: “How do you really know the team is ready in the face of a cybersecurity crisis?”

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.