While most organizations have a cyber resilience program in place, more than half of them lack a comprehensive approach to assessing resilience, according to a study by Immersive Labs.The study aimed at understanding business preparedness amidst growing incidents found a strong intent to strengthen cybersecurity capabilities driven by external threats.\u201cRules of engagement for cyberthreat actors are constantly innovating to cause catastrophic and unavoidable situations,\u201d said Michael Sampson, analyst at Osterman Research and author of the survey whitepaper. \u201cHence while cyber resilience is a hope for most organizations, the practices of building, testing, and improving cyber resilience are still immature at most organizations.\u201dThe study, commissioned through Osterman Research, surveyed 570 respondents in senior security and risk roles in organizations with over 1000 employees. The survey was conducted in the United States, United Kingdom, and Germany.Cyber resilient, yet notWhile a majority (86%) of organizations have a cyber resilience program, more than half (52%) of respondents said their organization lacks a comprehensive approach to assessing cyber resilience.These programs consist of a combination of cyber resilience strategies, plans, and\/or infrastructure, with the majority being internally managed by organizations (51%). At the same time, a smaller portion is outsourced to third parties, such as consultancies (35%).Companies lack proper metrics to assess cyber resilience with almost half (46%) of senior security and risk leaders missing suitable metrics to showcase their workforce\u2019s resilience against cyberattacks, and only 6% utilizing informative metrics like response times, intrusion rates, internal data loss, and incident rates of various data types.\u201cI was disappointed by the lack of strength in the metrics that organizations were using to assess cybersecurity capabilities and resilience,\u201d Sampson said. \u201cMost are relying on an assessment framework using indicators, tests, and metrics unrelated to resilience.\u201dThe survey also indicated that less than half (46%) of organizations had the board request the security team to demonstrate the organization\u2019s cyber resilience in the past six months. This was 51% for the senior leadership team.\u201cIt was also surprising to see organizations without metrics on cyber resilience who still report several times a year to the board of directors on cyber resilience,\u201d Sampson added. \u201cWe don\u2019t know what is being said in these cases, but obfuscation of the reality would be bad news for everyone involved. It would be great if the board of directors at organizations started asking for evidence and drilling down into what is informing that assessment of resilience.\u201dExternal threats, unreliable training are among major concernsCybersecurity threats and issues are the leading drivers for onboarding cyber resilient programs. Sixty-three percent of respondents said they are concerned with ransomware, with 51% and 48% respectively being wary of supply chain and code exploit-based attacks.\u201cThe challenge of immature cyber resilience is reinforced by the chaotic nature of the key concerns held by organizations \u2014 ransomware, supply chain and third-party attacks, and coding vulnerabilities,\u201d said Sampson. \u201cThere are many aspects of these attack types that remain dynamic, chaotic, and out of the control of the organization.\u201dDistrust with industry certifications emerged as a key concern in the survey. While almost all (96%) organizations encourage industry certifications, only 32% said they are effective at mitigating cyberthreats. Also, only 48% of organizations look for cybersecurity certifications in hiring processes, despite 96% of them indicating that they encourage IT and cybersecurity teams to earn certificates.The frequency of classroom training is also insufficient to effectively address cybersecurity threats, as only approximately 27% of respondents receive monthly training.\u201cWhile certification and training have a role to play in developing competence with a topic or product, they are less well suited to assessing how an individual would apply that competence to an \u2018in the wild\u2019 event and in relationship with others on the team,\u201d Sampson added.Despite undergoing security awareness training and phishing tests for several years, nearly half of the respondents (46%) indicated that their employees would be uncertain about how to handle a phishing email.The time gap between developing certification training content, individuals learning the content, and assessing their competence doesn\u2019t align with the rapidly evolving threat landscape, leaving individuals consistently outdated in addressing current cyberthreats, according to Sampson.The study concluded that organizations need to prioritize cybersecurity efforts that focus on developing skills, knowledge, and judgment across the workforce, while actively evaluating and addressing resilience levels and cybersecurity skills gaps, to effectively tackle new and emerging threats in a rapidly evolving cybersecurity landscape.