Building Cyber-Resilience: Bridging the Gap between Programs and Assessment

Written by
Tommy Perniciaro
Published on
Jun 20, 2023

In today's rapidly evolving threat landscape, cyber-resilience has emerged as a critical priority for organizations worldwide. The ability to anticipate, withstand, recover from, and adapt to cyber-attacks and incidents is crucial for maintaining business continuity and safeguarding sensitive information.  

However, a recent report by Osterman Research, sponsored by Immersive Labs, reveals that many organizations are struggling to effectively assess the efficacy of their cyber-resilience programs.  

This article delves into the key findings of the report, highlighting the challenges faced by organizations and emphasizing the need for a comprehensive assessment approach.

The State of Cyber-Resilience Programs

According to the research conducted by Osterman, 86% of surveyed organizations reported having a cyber-resilience program in place. This statistic underscores the recognition of the importance of cyber-resilience in today's threat landscape.  

Concerns over ransomware, supply chain risks, and vulnerabilities have propelled organizations to invest in resilience initiatives. However, the report reveals a significant gap when it comes to assessing the effectiveness of these programs.

The Assessment Challenge

Over half of the surveyed organizations (52%) lack a comprehensive assessment approach for their cyber-resilience programs. This deficiency leaves them flying blind, unable to accurately measure the impact and effectiveness of their initiatives.  

Only a mere 6% of respondents reported utilizing informative metrics to track vulnerabilities, intrusion rates, internal data loss, and threat types. This lack of assessment leaves organizations without the necessary insights to make informed decisions and improve their cyber-resilience posture.

Additional Challenges

The Osterman report sheds light on several other challenges faced by organizations in their pursuit of cyber-resilience:

Ad hoc and Reactive Learning: The majority of organizations rely on ad hoc and reactive methods to stay informed about the latest vulnerabilities. This limited approach hampers the value security professionals can bring to the table, as they struggle to keep pace with the ever-evolving threat landscape.

Inadequacy of Traditional Training: Classroom-based training is unable to keep up with the rapidly changing threat landscape. Emerging threats require a dynamic and continuous learning approach that traditional training methods often fail to provide.

Insufficient Industry Certifications: Industry certificates for IT and security professionals have proven inadequate in addressing emerging threats. The fast-paced nature of cyber-attacks necessitates ongoing skill development and certifications that reflect current and future challenges.

Lack of Board Engagement: The report highlights a significant gap in board engagement, with less than half (46%) of the organizations requesting their security teams to prove corporate cyber-resilience. Board-level involvement and support are crucial for driving the cyber-resilience agenda within organizations.

Workforce Preparedness: Anxiety persists regarding the preparedness of regular employees. Over half (53%) of the respondents stated that their workforce is not well-prepared for the next cyber-attack. Despite years of training and phishing tests, 46% claimed that their employees would not know how to handle a phishing email, reflecting the need for enhanced training and awareness programs.

Closing the Gap: A Comprehensive Approach

To address the challenges outlined in the report and strengthen cyber-resilience, organizations must adopt a comprehensive assessment approach. This approach should encompass the following key elements:

Evaluating Current Resilience Levels: Organizations need to implement robust mechanisms to assess their current resilience levels accurately. Informative metrics should be leveraged to track vulnerabilities, intrusion rates, data loss, and threat types, enabling organizations to identify weaknesses and make data-driven improvements.

Bridging Cyber-Skills Gaps: A focus on competence assessment and building team-level skills is essential for enhancing cyber-resilience. Legacy approaches that rely solely on historical threat data are inadequate and cannot provide organizations with the agility required to address new and emerging threats. A comprehensive approach should involve ongoing training, upskilling, and reskilling initiatives that keep pace with the evolving threat landscape.

Emphasizing Continuous Learning: Organizations must move away from reactive learning approaches and embrace a culture of continuous learning. This entails staying informed about the latest vulnerabilities, emerging attack techniques, and best practices through proactive information sharing, threat intelligence platforms, and collaborative industry partnerships.

Strengthening Industry Certifications: Industry certifications need to adapt to the changing cybersecurity landscape and address emerging threats effectively. Certifications should focus on practical skills, real-world scenarios, and hands-on experience to ensure professionals are equipped to tackle the evolving challenges of cyber-attacks.

Board-Level Engagement: Boards play a pivotal role in driving the cyber-resilience agenda. Organizations should encourage board-level engagement and support, ensuring that cybersecurity is a top priority and that adequate resources are allocated to strengthen resilience initiatives.

Enhancing Employee Preparedness: Workforce preparedness is crucial for effective cyber-resilience. Organizations should invest in comprehensive training programs that go beyond traditional classroom-based approaches. Simulated phishing exercises, interactive workshops, and regular awareness campaigns can help employees recognize and respond to cyber threats effectively.


As the threat landscape continues to evolve, organizations must prioritize cyber-resilience and bridge the gap between their programs and effective assessment. The findings from the Osterman Research report emphasize the need for a comprehensive approach to evaluate cyber-resilience initiatives accurately.  

By assessing current resilience levels, bridging skills gaps, emphasizing continuous learning, strengthening industry certifications, fostering board engagement, and enhancing employee preparedness, organizations can build robust cyber-resilience capabilities.  

Ultimately, a proactive and comprehensive assessment approach will enable organizations to anticipate, withstand, recover from, and adapt to cyber-attacks, ensuring their continued success in an increasingly challenging digital landscape. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.