www.csoonline.com
Open in
urlscan Pro
151.101.194.165
Public Scan
URL:
https://www.csoonline.com/article/3696932/organizations-reporting-cyber-resilience-are-hardly-resilient-study.html
Submission: On May 19 via api from TR — Scanned from DE
Submission: On May 19 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Cybersecurity stress returns after a brief calm: Proofpoint report * RELATED STORIES * Latin American companies, governments need more focus on cybersecurity * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * How training and recognition can reduce cybersecurity stress and burnout * Security breaches push digital trust to the fore * Home * Security * Cyberattacks News ORGANIZATIONS REPORTING CYBER RESILIENCE ARE HARDLY RESILIENT: STUDY THE STUDY COMMISSIONED BY IMMERSIVE LABS FINDS MAJORITY OF CYBER RESILIENT COMPANIES LACK TOOLS TO ASSESS THEIR RESILIENCE. * * * * * * * By Shweta Sharma Senior Writer, CSO | 18 May 2023 12:43 While most organizations have a cyber resilience program in place, more than half of them lack a comprehensive approach to assessing resilience, according to a study by Immersive Labs. The study aimed at understanding business preparedness amidst growing incidents found a strong intent to strengthen cybersecurity capabilities driven by external threats. “Rules of engagement for cyberthreat actors are constantly innovating to cause catastrophic and unavoidable situations,” said Michael Sampson, analyst at Osterman Research and author of the survey whitepaper. “Hence while cyber resilience is a hope for most organizations, the practices of building, testing, and improving cyber resilience are still immature at most organizations.” The study, commissioned through Osterman Research, surveyed 570 respondents in senior security and risk roles in organizations with over 1000 employees. The survey was conducted in the United States, United Kingdom, and Germany. CYBER RESILIENT, YET NOT While a majority (86%) of organizations have a cyber resilience program, more than half (52%) of respondents said their organization lacks a comprehensive approach to assessing cyber resilience. These programs consist of a combination of cyber resilience strategies, plans, and/or infrastructure, with the majority being internally managed by organizations (51%). At the same time, a smaller portion is outsourced to third parties, such as consultancies (35%). Companies lack proper metrics to assess cyber resilience with almost half (46%) of senior security and risk leaders missing suitable metrics to showcase their workforce’s resilience against cyberattacks, and only 6% utilizing informative metrics like response times, intrusion rates, internal data loss, and incident rates of various data types. “I was disappointed by the lack of strength in the metrics that organizations were using to assess cybersecurity capabilities and resilience,” Sampson said. “Most are relying on an assessment framework using indicators, tests, and metrics unrelated to resilience.” The survey also indicated that less than half (46%) of organizations had the board request the security team to demonstrate the organization’s cyber resilience in the past six months. This was 51% for the senior leadership team. “It was also surprising to see organizations without metrics on cyber resilience who still report several times a year to the board of directors on cyber resilience,” Sampson added. “We don’t know what is being said in these cases, but obfuscation of the reality would be bad news for everyone involved. It would be great if the board of directors at organizations started asking for evidence and drilling down into what is informing that assessment of resilience.” EXTERNAL THREATS, UNRELIABLE TRAINING ARE MONG MAJOR CONCERNS Cybersecurity threats and issues are the leading drivers for onboarding cyber resilient programs. Sixty-three percent of respondents said they are concerned with ransomware, with 51% and 48% respectively being wary of supply chain and code exploit-based attacks. “The challenge of immature cyber resilience is reinforced by the chaotic nature of the key concerns held by organizations — ransomware, supply chain and third-party attacks, and coding vulnerabilities,” said Sampson. “There are many aspects of these attack types that remain dynamic, chaotic, and out of the control of the organization.” Distrust with industry certifications emerged as a key concern in the survey. While almost all (96%) organizations encourage industry certifications, only 32% said they are effective at mitigating cyberthreats. Also, only 48% of organizations look for cybersecurity certifications in hiring processes, despite 96% of them indicating that they encourage IT and cybersecurity teams to earn certificates. The frequency of classroom training is also insufficient to effectively address cybersecurity threats, as only approximately 27% of respondents receive monthly training. “While certification and training have a role to play in developing competence with a topic or product, they are less well suited to assessing how an individual would apply that competence to an ‘in the wild’ event and in relationship with others on the team,” Sampson added. Despite undergoing security awareness training and phishing tests for several years, nearly half of the respondents (46%) indicated that their employees would be uncertain about how to handle a phishing email. The time gap between developing certification training content, individuals learning the content, and assessing their competence doesn’t align with the rapidly evolving threat landscape, leaving individuals consistently outdated in addressing current cyberthreats, according to Sampson. The study concluded that organizations need to prioritize cybersecurity efforts that focus on developing skills, knowledge, and judgment across the workforce, while actively evaluating and addressing resilience levels and cybersecurity skills gaps, to effectively tackle new and emerging threats in a rapidly evolving cybersecurity landscape. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Cyberattacks * Risk Management Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS