Cyber Security

The protection of internet-connected systems, including hardware, software and data, from cyberattacks

Immersive Labs Global Study Finds Improved Response Time to Threats, Yet Resilience Efforts Still Fall Short

Immersive Labs, the world’s first Cyber Workforce Resilience solution, today released the second edition of its annual Cyber Workforce Benchmark Report, which offers a deeper look at organisations’ resilience to threats (or lack thereof), through analysis of proprietary data over ‌a one-year period. The study found that, on average, organisations’ response time to cyber attacks accelerated by approximately one-third—from 29 to 19 days—from 2021 to 2022, which can be attributed to the urgency and need for fast response times amid the fallout of the Log4j crisis and other high-profile vulnerabilities over the last year.

Immersive Labs’ research is based on organisations’ performance completing real-life cyber simulations spanning 1.1 million exercises and labs spanning technical staff to executives during a 12-month period from April 2022 to April 2023. Immersive Labs’ unique Resilience Score was a key factor in measuring and gauging trends against industry benchmarks. The goal of this report is to empower cyber leaders with insights to address strategy gaps, mitigate risk, and build lasting resilience to threats across the workforce.

Improvements to organisations’ median time to respond to new threats reveals a great deal about the overall state of cyber resilience, since faster response time means a smaller window of vulnerability and a lower risk of negative impact to the business. The Log4j crisis, for example, was a watershed moment that served as a catalyst for this urgency given its catastrophic impact. While the initial discovery of Log4j dates back to December 2021, it continues to be a chart-topper among users of the Immersive Labs platform as two of the top five most frequently attempted CVE labs over the last year were Log4j-related.

“Leaders should ensure that their workforce – at all levels of experience – stays current with emerging threats, and get proof of their teams’ knowledge, skills and judgment to quickly and effectively respond to threats,” said Immersive Labs CEO and Founder James Hadley. “Our report’s insights underscore the critical importance of consistently conducting realistic exercises to assess skills gaps and fill them before it’s too late — but just as importantly, if the worse case scenario does happen, knowing how to best handle incidents ‘after the boom’ to mitigate fallout.”

Immersive Labs’ research data also revealed several other notable patterns emerge including:

  • Organisations aren’t preparing their workforces enough for after-incident responses: To effectively reduce risk, organisations must be prepared before and after an incident. While organisations are ensuring that cyber resilience activities span the MITRE ATT&CK® framework, Immersive observed a notable bias towards the earliest stages of the attack lifecycle, suggesting security leaders are potentially leaving their organisations exposed to after-incident risk.

  • Seasoned cyber pros are more complacent in their skills than junior staff: Junior staff tend to challenge themselves with more difficult exercises and are more likely to stay current with new threats compared to more experienced cyber professionals. More junior workers on average complete content that is more difficult than more experienced professionals. However, to effectively prepare for cyber threats, individuals at all stages of their career need to be prepared for the latest threats.

  • Cyber resilience is rising globally amid more sophisticated threats: Modest gains were made in achieving resilience, especially those who focused on key areas such verifying the skills of new talent (46%) and assessing security team capabilities in realistic scenarios (30%) amid more sophisticated cyber threats.

  • Financial services firms are the top individual performers: Holistically, regulated industries only marginally outperform less-regulated peers, with a 6% difference across key resilience metrics, showing that regulated industries on average are not substantially better prepared for attacks than less-regulated industries. Nevertheless, financial services firms tend to perform the best, as the industry represents seven of the top 10 overall performers, which can be largely attributed to their commitment to continuous exercising and benchmarking their teams, creating organisational competence.

Download the 2023 Cyber Workforce Benchmark Report here.