The Chasm Between Cybersecurity Confidence and Actual Ability
A survey of 316 cybersecurity training strategy decision-makers in the UK, U.S, Canada, Germany and Sweden published today found there is a major disconnect in the confidence they have in their teams have in their abilities and their actual abilities.
Conducted by Forrester Consulting on behalf of Immersive Labs, a provider of a cyberattack simulation platform, the survey also found a full 70% of respondents said they are confident in the cybersecurity resiliency of their organizations, with 60% reporting their cybersecurity team responds and resolves incidents effectively.
However, less than one-third (32%) believed their organization has a formal strategy to ensure resilience and 82% either don’t think or are unsure that their cybersecurity team has the needed abilities to respond to attacks. Well over three-quarters (83%) don’t think their security team has confidence in themselves.
A full 82% admitted they could have mitigated some if not all of the damage of their most significant cybersecurity incident in the last year if they were better prepared, and more than 80% don’t think, or are unsure, their teams have the capabilities to respond to future attacks. Nearly half (44%) conceded they are not able to measure cybersecurity capabilities.
Only 17% of respondents considered their cybersecurity team to be fully staffed and 94% experienced at least one talent management challenge with the cybersecurity team. Nearly two-thirds (64%) agreed that traditional cybersecurity training methods such as certifications, video training courses and classroom instruction are insufficient to ensure cybersecurity resilience. A full 70% are making investments to improve training, the survey found.
Max Vetter, vice president of cyber at Immersive Labs, said it’s only natural for cybersecurity leaders to be confident, otherwise they would not be in that role. However, the level of overconfidence in resilience suggests that many of those leaders are overly optimistic. In fact, only 23% of respondents said they felt their cybersecurity teams were confident in their incident response abilities and only 17% said the workforce shared that confidence.
Only 56% said they shared breach readiness and incident response results, with more than half (55%) noting their cybersecurity team doesn’t have the data needed to demonstrate readiness.
Confidence stems from drills, so it’s apparent not enough cybersecurity teams are simulating attacks to test their response capabilities, said Vetter. In many cases, too much faith is being placed in platforms rather than the processes that enable organizations to remain resilient in the event of a cyberattack, he noted.
Overall, the survey found 84% of respondents agreed that cybersecurity teams feel increasing pressure to be prepared for the next cyberattack, with 72% noting the threat landscape is becoming more challenging.
Major challenges identified by survey respondents include lack of team resources (46%), lack of expertise (44%), inability to hire qualified talent (39%) and lack of bandwidth for training (37%).
Of course, it’s not unreasonable for cybersecurity leaders to have some innate confidence—otherwise, they would probably not have taken the job in the first place. The issue is making sure that pride doesn’t go before the fall.