Recently, IBM Security announced the results of the “2019 Ponemon Institute Study on the Cyber Resilient Organization,” the fourth annual look at cross-industry preparedness for cybersecurity. Each report has taken a year-over-year look at the current state of cyber resilience and the business’ ability to maintain its core purpose in the face of a cyberattack.

Now that we have multiple reports’ worth of insights to digest, what better time is there to dissect those trends from a macro view of what’s improved and where security still needs to improve its efforts to effectively respond to cyberattacks?

Security Leaders Are Feeling Good

There has been a lot of positive improvement since the first report in 2015, including how leaders feel about their current cybersecurity posture. Fifty-four percent rated their cyber resiliency as high this year, which is an improvement from just 35 percent in 2015. This seems to go along with their improved perception of preventing a cyberattack, which increased from 38 percent in 2015 to 53 percent this year.

The Ponemon reports also show that businesses are placing more value in cyber resilience. This year, 62 percent of businesses rated the value of cyber resilience as high, an improvement from 51 percent in 2015.

In theory, this is all good news. Leaders are saying they value cyber resilience more and, as a result, businesses have gotten better at preventing cyberattacks. Naturally, then, leaders feel positive about their business’ overall cyber resilience. But there is still some work to be done.

Confidence Is High, But Is It False? Crucial Areas Are Being Overlooked

Unfortunately, there have also been a few key areas where businesses either haven’t improved or have declined since 2015. Most concerning is the lack of consistent incident response plans. This year, 77 percent of organizations said they do not have a consistent incident response plan deployed across the organization, compared to 82 percent in 2015. This is a slight improvement, but there is still a long way to go, despite the feeling of confidence in overall cyber resilience.

This aligns with stagnation found in other areas. In 2015, 47 percent of businesses rated their ability to quickly detect a cyberattack as high, and it’s improved to just 53 percent this year. Businesses also have decreased confidence in their ability to contain a cyberattack once it has hit, dropping from 52 percent in 2015 to 49 percent today. Clearly, there is a problem if half of all security leaders don’t feel confident in their ability to detect a cyberattack, and then cannot quickly contain it once they’ve found it.

Douse Fire Drills With Incident Response Plans

It makes sense that security leaders would not feel confident in their ability to quickly contain a cyberattack if there is not a proper incident response plan in place. Being able to work quickly on a complex and evolving cyberattack requires an in-depth, consistent and repeatable incident response plan.

We know that high performers — study participants who have achieved a high level of cyber resilience — are far more likely to have a consistent incident response plan deployed. High performers were tops in preventing, detecting, containing and responding to cyberattacks, and just 5 percent of those do not have an incident response plan. It stands to reason, then, that starting with a well-defined incident response plan is crucial for cybersecurity overall.

Get Incident Response Plans Off the Ground

We’ve heard from respondents and our own customers that building a plan, keeping it up to date and deploying it consistently across the business is hard work. Whether it’s disjointed business units, too many politics in the way or no leadership support, incident response planning seems to fall by the wayside. But we know having a plan like this in place is crucial to cyber resilience, so how can security leaders overcome these challenges and set the business up for cybersecurity success?

Making incident response plans a reality starts with acknowledging that process is hard to scale, but can be made a lot easier with buy-in from leadership. To start, conduct an enterprisewide workshop to overhaul your incident response processes. This will establish the importance of cyber resilience in the minds of the C-suite as well as leaders from marketing, HR, legal, IT, customer service and other departments. When all stakeholders truly understand the benefits of a fully deployed plan, they’ll be much more invested and willing to contribute to building a standard, documented and repeatable incident response plan.

Of course, businesses will need the right tools and the right people in place to ultimately stop threats effectively. But tools and people are ineffective without a proper plan to guide them. Understanding the risks to the business through the process of building an incident response plan can help your leaders understand which tools to deploy and how many people are needed in crucial roles. By committing to — and consistently testing and adjusting — an incident response plan, this evolution will lead to cybersecurity maturity. From there, security leaders can start implementing automation to create a true orchestrated incident response process for the business.

Increase Efficiency With Orchestration

Once the strategy for an incident response plan has been put in motion, security leaders will have support for their positive feelings toward cyber resilience — which should result in growing confidence in Ponemon reports to come. With a consistent, repeatable incident response plan in place, the foundational pillars of people, process and technology will be set and businesses can mature their cybersecurity processes from there. The high performers lead the way with deploying orchestrated incident response processes, smartly automated tasks and the right people in the loop.

To learn more about the benefits of going through this journey and how getting to an orchestrated incident response model can positively impact the overall business, take a look at how to outsmart cyberthreats with security orchestration and automation.

Download the “Orchestrate Incident Response” e-book

More from Incident Response

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…