Confidence in the cyber skills of teams is, of course, something business leaders should strive for — but it should come with data to back it up. Attrition cybersecurity training has increased dramatically in recent years and is expected to reach $10 billion by 2027. Organizations invest in legacy cyber training and certification programs with the assumption that these methods adequately prepare attack teams; However, a recent study Immersive Labs in charge of Forrester Consulting found the opposite.

At first glance, leaders appear confident that their cybersecurity team is prepared and resilient, but when asked specifically how well prepared the team is for a particular attack or how effectively the team responds to and resolves incidents, confidence drops significantly. It’s an alarming finding that suggests traditional check-box training may actually be creating a false sense of security.

According to the report, 82% of leaders agree that they could have mitigated all or part of the damage from their most significant cyber incident in the past year if their teams had been better prepared, and more than 80% don’t think or aren’t sure their teams have the capabilities to respond to future attacks. Clearly, there is a disconnect between leaders’ confidence in the readiness of their teams and actual cyber resilience. This is because legacy training measures attendance, not actual ability.

The study also found that decision makers say they want to hire cybersecurity professionals with the experience and skills to get started, but more than half (63%) they also say they want to hire with certifications in mind. This investment is poorly spent and insufficient to deal with current cyber attacks, especially with the recent rise of generative AI technologies and other risk vectors. More than half (64%) of respondents agree that these traditional cybersecurity training methods are insufficient to ensure cyber resilience.

Additional findings from our research show why this disconnect exists and how it results in unpreparedness, both real and perceived:

• As threats become more advanced, pressure from senior leaders grows: As the threat landscape continues to evolve, 84% agree that their organization’s cybersecurity team feels increased pressure to prepare for the next cyberattack. Board and C-Suite pressure has also increased, with 65% of respondents agreeing that their organization’s board is putting more pressure on the cybersecurity team to demonstrate cyber resilience than a few years ago. This number jumps to 75% when respondents consider the pressures coming from the C-Suite today compared to years past.
• Teams are not strategically equipped to maintain cyber resilience: Although cyber resilience is a top strategic priority for many organisations, less than one-third (32%) believe their organization has a formal strategy to ensure cyber resilience. Teams have the right threat management tools and support from leadership teams, but the execution component is still missing. Teams don’t assess, hire or train enough resilience.
• Reporting is inconsistent, making it difficult to demonstrate cyber resilience: As boards and C-level executives look for concrete evidence of cyber resilience, senior leaders should be sharing breach readiness and incident response results more widely, but less than 60% do so today. Additionally, more than half (55%) agree that their cybersecurity team does not have the data needed to demonstrate readiness to properly respond to cyber threats.
• Organizations lack the talent to maintain cyber resilience: 83% of respondents feel their cybersecurity team is understaffed, and 94% have experienced at least one talent management challenge in their cybersecurity team.
• Cybersecurity needs a culture change to hire the right talent: HR and hiring managers rely too heavily on certifications and, as a result, turn away qualified candidates while creating a costly barrier to entry for early career and diverse talent to secure. While over 60% of respondents think their cybersecurity team is well-certified, 48% agree their team lacks expertise in certain security domains. This indicates a trend that existing recruitment processes are weeding out high-potential employees that companies can invest in and develop.

To better equip cybersecurity teams with the skills they need to increase cyber resilience and prove it, we need to focus on a practical, evidence-based approach. Confidence and preparedness come from exercise and practice. Teams can stop threats if they are better prepared and experienced in working together. Traditional training tactics must be left behind in favor of live simulations and labs that allow teams to fully experience real-life scenarios so they can learn how to mitigate them both technically and consciously in the process. With this type of training, organizations can benchmark performance and gathering insights to build and implement a more effective cyber resilience strategy.

Investing in a culture that focuses on building and proving cyber capabilities, along with rethinking hiring practices, is the only way organizations will be able to prepare cybersecurity teams for new threats, foster true trust, and foster lasting cyber resilience.