www.helpnetsecurity.com
Open in
urlscan Pro
52.10.66.75
Public Scan
URL:
https://www.helpnetsecurity.com/2023/06/13/cyber-resilience-continuous-approach/
Submission: On June 14 via api from TR — Scanned from DE
Submission: On June 14 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1686708721"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus * News * Features * Expert analysis * Videos * Reviews * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Max Vetter, VP of Cyber, Immersive Labs June 13, 2023 Share HOW TO ACHIEVE CYBER RESILIENCE? Cyber resilience is a leading strategic priority today, and most enterprises are now pursuing programs to bolster their ability to mitigate attacks. Yet despite the importance placed on cyber resilience, many organizations struggle to measure their capabilities or track their progress. They are essentially flying blind, relying on unreliable indicators such as historical attack response times or operating with no real framework in place. Many organizations are stuck spinning their wheels, attempting to cobble together an assessment framework using indicators, tests, and metrics unrelated to resilience. A lack of accurate metrics also means many firms have little idea of their true capabilities, leading to a dangerous combination of overconfidence and under-preparedness. How can enterprises start making meaningful improvements when it comes to cyber resilience? CYBER RESILIENCE HINGES ON DEVELOPING SECURITY SKILLS AND KNOWLEDGE The heart of cyber resilience lies not with the latest technology but with the organization’s workforce. Regardless of the company’s other investments, it is unlikely to see a meaningful increase in security if it does not invest in its people. First and foremost, this means having access to security personnel with the right training and experience and ensuring they can continually learn and adapt to new threats. But it also means non-technical staff. Senior executives without security backgrounds will be counted on to keep cool heads and make critical strategic decisions amid a serious and time-sensitive crisis. Finally, it means the ability for personnel throughout the company to recognize and respond to a broad range of cyber threats such as phishing. Enterprises generally know that their workforce is an important part of their security strategy but are often unsure how to invest effectively. Traditional cybersecurity training is often delivered ad-hoc using outdated learning methods, and primarily measuring attendance – not proven capabilities. This approach is far too slow and stilted to keep up with speed of cyber. Classroom training sessions are usually at least three months behind, so tactics and malware strains may already have fallen out of use by the time the team gets to grips with them. Classroom settings are generally the default for the wider workforce, but courses are offered too infrequently, and participants are unlikely to engage and retain enough knowledge to change their behaviors meaningfully. Leadership may also engage in tabletop exercises, but again these are generally rendered ineffective by being too infrequent and too divorced from the reality of a real cyber crisis. CERTIFICATIONS ARE NO SUBSTITUTE FOR STRATEGIC DIRECTION We have found that organizations often rely on industry certifications to guide their security training and development programs. But while they can provide a general direction for security professionals on how they might approach threats, they do little to address current specific threats or drive true preparedness. Many security decision-makers have told us they lacked confidence in certifications having a meaningful impact on threat mitigation. Tellingly, most security hiring does not take certifications into account. Truly increasing cybersecurity capabilities requires identifying skills gaps, filling them, and proving the increase in resilience to the company’s senior leadership. Achieving this requires a purposeful and proactive approach to security skills and awareness. A CONTINUOUS APPROACH IS KEY Driving cyber resilience requires a continuous approach to development. It’s been clear for some time that sporadic, classroom-based learning efforts are simply not delivering the results businesses need, either for cyber professionals or non-technical leadership and other staff. Instead of relegating security development to a forgettable annual calendar reminder, a continuous approach must keep security at the forefront of mind throughout the year. Security threats also need to be brought to life with realistic simulation exercises. This approach will provide a much more engaging experience for participants and a far more accurate indication of their abilities. Real-life exercises give far more insight into an individual’s mindset and potential than a certification’s often rote, static nature. Security teams must be ready to respond rapidly and confidently to the latest emerging threats, aligned with industry best practices. They must have the right skills, from closing off newly discovered zero days, to mitigating serious incoming threats like attacks exploiting Log4Shell. But they must also be able to apply them calmly and in control even if they face a looming crisis. This capability can only be developed through continuous exercise. USING FRAMEWORKS TO FOCUS SECURITY STRATEGIES This activity must happen within a framework that defines the organization’s priorities and goals. Existing frameworks such as NIST make a good starting point, while firms should ideally create their own once they have the confidence and data to do so. The aim is for leaders to demonstrate the strengths and weaknesses of all teams and departments throughout their organization and compare this to industry benchmarks. As organizations continually accept cybersecurity as a strategic priority, it is also essential that CISOs have a seat at the executive table. While this has become more common, some businesses still have their CISO report into the CIO, effectively rendering security as a subsection of IT. Having the CISO directly involved at the executive level will help ensure that the company’s security preparedness matches its confidence, ensuring that resilience is given the proactive strategic importance it requires. More about * CIO * CISO * cyber resilience * cybersecurity * framework * Immersive Labs * opinion * threats * training Share this FEATURED NEWS * June 2023 Patch Tuesday: Critical patches for Microsoft Windows, SharePoint, Exchange * PoC exploit for exploited MOVEit vulnerability released (CVE-2023-34362) * How to achieve cyber resilience? Spin Up A CIS Hardened Image SPONSORED THE BEST DEFENSE AGAINST CYBER THREATS FOR LEAN SECURITY TEAMS WEBINAR: TIPS FROM MSSPS TO MSSPS – STARTING A VCISO PRACTICE SECURITY IN THE CLOUD WITH MORE AUTOMATION CISOS STRUGGLE WITH STRESS AND LIMITED RESOURCES DON'T MISS JUNE 2023 PATCH TUESDAY: CRITICAL PATCHES FOR MICROSOFT WINDOWS, SHAREPOINT, EXCHANGE POC EXPLOIT FOR EXPLOITED MOVEIT VULNERABILITY RELEASED (CVE-2023-34362) HOW TO ACHIEVE CYBER RESILIENCE? QUANTUM COMPUTING’S THREAT TO NATIONAL SECURITY BUILDING A HYPER-CONNECTED FUTURE WITH 6G NETWORKS Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×