Cyber Certifications Have Failed. There Is A Better Way To Build And Prove Cyber Skills.

0

With the rapid advancements of generative AI and evolving threat landscape, the job of cybersecurity has never been harder, and the pressure to protect organizations has never been greater. With the likelihood of a breach being a matter of when, not if, preparedness is top of mind for Boards. But there is a more pressing question: how do we really know our teams are prepared for the next attack? Organizations have poured hundreds of thousands of dollars into traditional training techniques – is it working?

In short: no.

At a time when preparedness is so vital, organizations have, ironically, never been less prepared. According to the Cyber Workforce Resilience Trend Report, despite years of security awareness training, almost half of organizations say their employees would fall victim to a phishing email. And certifications are proving to be ineffective: Although almost all (96%) organizations encourage IT and cybersecurity teams to gain industry certifications, only 32% of respondents agree that industry certifications are effective.

The truth, as painful as it might be, is that traditional cyber training and industry certifications are failing organizations and their leaders.

Faced with this reality, a growing number of organizations are turning their attention to building and proving long-term cyber resilience – the capabilities and confidence to respond effectively to threats – which tops the list of strategic and spending priorities for organizations in 2023. Nearly all (86%) of organizations note they are already operationalizing a cyber resilience program, pointing to cyber resilience becoming the pillar of the modern cybersecurity strategy.

However, while the findings indicate that building cyber resilience is a priority, they also show that many programs are falling short, ultimately failing to prove cyber teams’ real-word cyber capabilities. More than half (52%) of respondents say their organization lacks a comprehensive approach to assessing cyber resilience.

To address this, here are five steps organizations should take:

1. Adopt a formal cyber resilience strategy – To truly build cyber resilience, technology alone is not the answer. Deploying an effective strategy requires organizations to leverage benchmarking techniques to gather data around their people’s cyber capabilities. Armed with this information, CISOs and other cyber leaders can build and implement a more effective cyber resilience strategy, one that prioritizes assessing, building, and proving cyber capabilities.

2. CISOs Should Lead Strategic Discussions with the Board – Cyber risk and preparedness are top priorities for Board members; however, these individuals lack security expertise which means they don’t ask the right questions. As the role of the CISO continues to evolve, it’s imperative that they have a seat at the table with senior leaders – and that the Board has a baseline understanding of cybersecurity to ensure there is a meaningful dialogue about cybersecurity priorities and strategies. In fact The U.S. Securities & Exchange Commission (SEC) may now require some level of cyber expertise on the Board.

3. Measure Your Workforce’s Cyber Capabilities – In order for CISOs to have meaningful, strategic conversations with boards, they need to present the right metrics: ones that demonstrate proof of cyber resilience like breach readiness and incident response results. Reporting metrics like number of attacks, alerts, and events don’t actually measure a team’s true cyber capabilities or tell us anything about how prepared they are for the next attack.

4. Invest in Continuous Exercising – Organizations that regularly exercise teams are best able to withstand attacks. The timeline between the disclosure of vulnerabilities and attack activation is measured in hours and days, not weeks or months. Offering traditional training monthly or quarterly, isn’t going to be effective. Cyber exercises need to be run with measured frequency to match the pace of attackers and build muscle memory.

5. Recruit Talent with Potential, Not Certifications – An area where we see an over-reliance on industry certification is recruiting. Certifications do not translate to expertise — full stop. Given the talent shortage and budget-tightening efforts, a cultural shift must happen as part of the recruiting process in which prospects are considered for their aptitude or future potential and not based on how many certifications they have. By overemphasizing certifications, organizations are actually rejecting qualified applicants or creating a costly barrier to entry for early career and diverse security talent.

Attackers move quickly, relying on organizations’ historically slow response times to make would-be breaches successful. With new AI tools offering sophisticated ways to script phishing emails, for example, this threat is only accelerating. It’s time to stop our industry’s overreliance on outdated methods of certification and training. At a time when leaders and boards want assurance that their people are prepared, certifications and traditional training programs don’t deliver on their promises. Organizations need proof of real cyber capabilities, not a false sense of security.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! Rapidtelecast.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
Leave a comment