Cognitive agility of cybersecurity teams is low

A new study set out to assess the human, not just technical, capacity of cybersecurity teams in enterprises by looking at the knowledge, skills, and insight applied to more than half a million exercises and simulations conducted by 2,100 organizations over the past 18 months. Immersive Labs’ Cyber Workforce Benchmark 2022 report revealed that, on average, it takes more than three months (96 days) to develop such capability to defend against cyber threats.

“Data raised by the study on the time lag between the emergence of threats and reaction against them shows the need to accelerate the development of human capacity in the cyber field in large organizations. Without this, people will possibly be making decisions based on unhelpful preconceptions,” says Rebecca McKeown, director of human sciences at Immersive Labs and former military psychologist.

For the executive, cybersecurity presents a unique challenge for humans in terms of skills development. Delivering answers in a hybrid battlespace, with ever-changing real-world and digital characteristics, makes continuous skill development crucial to building what is called cognitive agility.

According to the survey, Infrastructure and Transportation were the two sectors that proved the most time-consuming, taking more than four months (137 days) on average to ensure adequate skills are developed after a threat emerges. In comparison, national cybersecurity bodies recommend that technical infrastructure is patched in days or, in some cases, hours. For example, the US Federal Cybersecurity Agency (CISA) states that vulnerabilities should be patched within 15 calendar days of initial detection.

The breach associated with Log4j was the exception to the rule, as cybersecurity teams developed responsiveness in just two days. This exception has to do with another revelation of the study. Cybersecurity teams prioritize developing knowledge, skills, and insight against threat groups that attract the most attention. The top five groups of interest, in order, are UNC2452 (SolarWinds), Iranian Threat Groups, Fin 7, Hafnium, and Darkside. When it comes to these groups, capability development is significantly faster. In the case of the SolarWinds case, for example, the reaction was almost eight times faster than average.

The frequency with which organizations conduct cyber crisis response exercises varies significantly across industries. After analyzing more than 6,400 crisis response decisions, the study showed that technology and financial services companies prepare the most for cyberattacks, conducting nine and seven exercises per year, respectively. Organizations in the critical infrastructure sector are the least prepared, with only one exercise per year.

Ransomware is the leading cause of uncertainty for crisis response teams. Seven of the top 10 crisis scenarios that demonstrated the least confidence to respond are associated with this type of threat.

Teams working on application security develop human resources in the cyber field faster than cybersecurity teams. By analyzing 43,000 application security practice exercises, the research identified that 78% were completed faster than expected, compared to the share of only 11% in cybersecurity labs. On average, the application security exercise was completed 2.5 minutes less than the total expected time, while in cybersecurity labs, it was 17 minutes longer than expected.

Pointing to a possible future problem, of the 176,000 exercises completed by university students and other groups seeking a career in cybersecurity, application security skills had the lowest engagement rate – a quarter of offensive cybersecurity skills. Given that insecure software was one of the main causes of the biggest invasions seen in 2021, it is almost certain that the concern will worsen in the future.

Psychological view

From a psychological perspective, only by conducting regular exercises will crisis response teams be able to consciously develop the ability to make connections between previous decisions and how to apply them, or not, during an incident. Ongoing crises are not the time to learn. This is a central tenet of cognitive agility.

According to Immersive Labs, the trend in cybersecurity teams is to focus on execution, and there are psychological effects at play here. Like any professional in large organizations, members of these teams are seeking recognition from their superiors and may see ‘executing’ threat processes as a quicker way to get it.

Those responsible for responding in crises need to develop cognitive agility, which is the ability to “think about thinking”, distance oneself from the impulse to act, and consciously control decision-making rather than reacting automatically. In practice, one develops this skill over time by continuously exposing oneself to frequent exercises and discarding preconceived ideas.