CISOs need to be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape.

Max Vetter, Vice President of Cyber, Immersive Labs

June 14, 2023

4 Min Read
Digital image of a padlock over a photo of a person typing -- cybersecurity concept art
Source: Aleksandr Khakimullin via Alamy Stock Photo

As someone who has been in the cybersecurity industry for nearly two decades, I find it refreshing to see federal entities are putting more focus on the changes that need to happen to keep organizations secure. With the Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and White House all releasing updated cyber guidelines and policies, a newfound — and much-deserved — sense of urgency and importance has been placed around cyber defenses, preparedness, and skilled talent.

Similarly, the long-anticipated proposed new cybersecurity requirements from the US Securities and Exchange Commission (SEC) allude to an impending incident disclosure rule and proof of cybersecurity expertise on company boards. While we await the final language, I believe these requirements are a step in the right direction for up-leveling transparency and communication, ultimately emphasizing how cybersecurity is a business imperative across all industries.

But with one important caveat.

As much as the added pressure from the SEC and other government agencies on timely reporting and disclosure is a needed force for change, many organizations aren't equipped to handle this level of oversight and reporting. Many security leaders currently lack the means to gather evidence to share with boards and executive leadership, resulting in fewer than 60% flagging breach readiness and incident response results. What's more, more than half of security leaders (55%) agree their cybersecurity team doesn't have the data needed to demonstrate readiness to properly respond to cyber threats.

To comply with government guidelines, organizations must invest in more effective ways of building and proving cyber capabilities across teams through practical exercises. Organizations must make a paradigm shift in their approach to cybersecurity that comprises the following actions:

1. Provide specific metrics to prove resilience and capabilities. Despite proof points and actionable metrics laying the foundation of nearly every other business function, measurement is practically nonexistent when it comes to identifying faults and strengths of organizations' cybersecurity postures. To advance an organization's cyber resilience, cybersecurity teams need better methods to assess and prove their capabilities and resilience, especially when you consider most cybersecurity leaders can agree their organization's board is placing more pressure on their cybersecurity team to prove cyber resilience.

Without metrics to gauge efficacy, how do leaders know whether costly training investments in training are worthwhile? So while teams have the right risk management tools and conduct breach readiness assessments, they aren't sufficiently assessing or training for resilience.

2. Move away from technological "spot solutions." As the threat landscape continues to evolve, most security leaders are turning to more tech tools to add to their ever-growing tech stacks to prove their cybersecurity strength to key stakeholders. Implementing "spot solutions" is likely to leave holes in an organization, making it vulnerable to attackers. There are tools available that combat nearly every security challenge these days, but a plug-and-play approach isn't the most effective system.

Chief information security officers (CISOs) should consider consolidating their tools to mitigate complexity. Even so, a streamlined solution can't be the sole line of defense. One of Gartner's predictions for 2023 is that challenges confronting CISOs will evolve beyond technology, cybersecurity, and controls — and instead anticipates there will be a focus on the human element. Security tech solutions must be coupled with a battle-tested and capable workforce to be effective in responding to cyber threats if — and when — they do happen.

3. Put your people first in your approach to effective cybersecurity. Adopting a people-centric, proactive cybersecurity approach puts organizations in a better position to combat cyber threats and prove resilience to boards and company leadership. While organizations may be investing in traditional cybersecurity training methods like certifications, table-top exercises, and classroom work, these tactics are largely insufficient to combat current cyberattacks, particularly with the recent surges in ransomware and generative AI technologies. I'm not alone in thinking this — despite the increase in training investments, 80% of cyber leaders don't believe their teams have the capabilities to respond to future attacks.

To address the ongoing staffing challenges and talent gap, cyber leaders should reevaluate hiring practices. HR and hiring managers are over-relying and overemphasizing certifications, rejecting qualified applicants or creating a costly barrier to entry for early career and diverse security talent.

To meet these new expectations, CISOs must be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape. Our current approach to cyber readiness and resilience needs some work — but it's promising to see that cybersecurity and its leaders are finally getting its seat at the head of the table. The sheer concept of multiple federal entities making a concerted effort to emphasize the need for communication and proof is promising momentum in the right direction.

About the Author(s)

Max Vetter

Vice President of Cyber, Immersive Labs

Max leads a team of cyber experts at Immersive Labs, helping customers stay ahead of the threats and be resilient against cyber attacks.

Max spent seven years with London's Metropolitan Police Service as a police officer, intelligence analyst, and covert internet investigator, including working in the money laundering unit in Scotland Yard. He also worked as Assistant Director of the ICC Commercial Crime Services investigating commercial crime, fraud, and serious organized crime groups.

Before joining Immersive Labs, Max spent three years training the private sector and government agencies including the UK's GCHQ and its cyber summer school in ethical hacking and open source intelligence and was the subject matter expert in darknets and cryptocurrencies.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights