Building cyber resilience in an age of AI
Cybersecurity remains one of the most important business investments amid new threats, including those presented by Generative AI. However, as businesses invest in ways to mitigate cyber risk, many are uncertain if the increased spending is helping their organizations bolster their cyber stance -- often because they lack proof.
As new research highlights that fewer organizations feel confident that their business can withstand a cyber attack, how can businesses build and prove their organization-wide preparedness for threats?
What is cyber resilience and why is it important?
We define cyber resilience as the ability and confidence to prepare for, and respond effectively, to cyber threats. Cyber resilience is critical to an organization's long-term success, especially as we see new threats like AI-assisted attacks emerge. True resilience means knowing that your entire organization has the knowledge, skills, and judgment to respond rapidly to prevent or mitigate damage.
According to a study we developed with Osterman, more organizations prioritize long-term cyber resilience due to an evolving threat landscape and a steady increase in cyber attacks. But, despite cyber resilience being at the top of strategic and spending priorities, many organizations' cyber resilience programs are falling short.
Our study revealed that in 2023, cyber resilience continues to be a strategic priority for businesses. Enhancing the capabilities of the cybersecurity team and the wider workforce was found to be the top strategic priority for 80 percent of organizations. Within this, 44 percent of respondents classified it as a high priority, while 36 percent deemed it an essential priority for their organization. Despite this, there is a significant gap in the effectiveness of cyber resilience programs, as many companies lack a comprehensive methodology for assessing cyber resilience or proving it.
What steps can be taken to build a framework for cyber resilience?
Building a robust framework for cyber resilience is critical for organizations, particularly in light of the increasing frequency and sophistication of cyber threats, such as cyber criminals’ use of AI to script realistic phishing emails. The Osterman Research highlights the urgent need for organizations to implement ways to evaluate current resilience levels better and fill cyber skills gaps.
Organizations need to assess their current state of preparedness for cyber threats. This includes evaluating the competence of their teams, identifying areas of weakness, and understanding where skills gaps exist.
It is then crucial to build team-level skills. This can be achieved through regular and comprehensive training sessions, as well as through advanced cybersecurity tools.
Organizations must then highlight and address skills gaps. This means implementing continuous upskilling across the workforce and hiring strategies to ensure all members of the organization have the necessary skills to respond effectively to cyber threats.
Businesses must not rely on legacy approaches from historical threat data. Instead, they should adopt new methodologies to address emerging threats. Companies must understand that driving the cyber resilience agenda requires a comprehensive, forward-thinking approach that assesses competence, builds skills, addresses gaps, and fosters internal cybersecurity culture.
What are the key factors enabling organizations to achieve cyber-resilient outcomes?
Cyber resilience is a multifaceted concept, and its successful implementation within an organization depends upon various factors. Our recent research shows that there are five main themes that contribute to cyber resilience.
Cyber upskilling is paramount. This involves regular, realistic exercises and labs against new threats. It's crucial that this training encompasses both cybersecurity professionals and the general workforce.
The role people play in cyber defense cannot be overstated. Organizations need to hire and develop qualified individuals with the expertise to handle the demands of their roles. These professionals should be up to speed with current cyber best practices, and there should be structured incentives for them to extend their proficiency and expertise.
Organizations should also focus on the implementation of business risk management programs. This approach allows organizations to identify gaps, categorize risks, and prioritize interventions based on business and financial implications.
Finally, fostering a security-first culture is essential. This involves open communication about security and ensuring that all employees accept responsibility for cybersecurity.
Achieving cyber resilience is not about focusing on isolated inputs but implementing a holistic approach.
How can businesses provide effective cyber resilience training in the face of rapidly evolving cyber threats?
As cyber threats continue to evolve rapidly, traditional classroom training and certifications are failing to keep pace.
According to recent research, training needs to be engaging, innovative, and frequent. Additionally, every member of the organization from cybersecurity professionals to the general workforce should be encouraged to participate. This will ensure that every member from every team understands how to recognize and respond to cyber threats.
It is also important to ensure that team and individual cyber capabilities are up-to-date, reflecting the latest threats and vulnerabilities. It should also move at the 'speed of cyber,' meaning that it should be able to adapt quickly to the ever-changing cyber threat landscape.
How can organizations measure their cyber resilience?
Measuring cyber resilience is a complex task that requires a comprehensive approach. According to research, there is a significant gap between the perceived importance of cyber resilience and the effectiveness of current assessment methodologies.
From our research, respondents acknowledged that there is a link between their workforce's cyber resilience and the success of their organization. But, only 58 percent indicated that their organization effectively assesses cyber resilience. This suggests that many organizations may lack a robust assessment methodology, rely on ineffective metrics, or have low trust in their current assessment methods.
Furthermore, only 33 percent of respondents expressed confidence that their workforce is fully prepared to perform the relevant tasks needed to recover from a cyber incident. This indicates that only a third of organizations currently have a cyber resilience assessment methodology that provides an accurate picture of resilience during a cyber incident.
Therefore, organizations need to develop more effective ways of measuring cyber resilience. This could involve implementing more robust assessment methodologies, developing stronger metrics, and building greater trust in these assessment methods.
While cyber resilience is recognized as a strategic priority, organizations must address the gap in effective assessment methodologies. A comprehensive approach that includes regular training, advanced cybersecurity tools, and a security-first culture is essential to build resilience and prepare for evolving cyber threats.
Image Credit: putilich/depositphotos.com
Max Vetter is VP of Cyber at Immersive Labs