In a thought-provoking interview with SafetyDetectives, Max Vetter, Vice President of Cyber at Immersive Labs, delves into his extensive background in cybersecurity. His journey from the Metropolitan Police Service in London to shaping the future of cybersecurity at Immersive Labs is a testament to his expertise in the field. Vetter offers a unique perspective on the challenges and innovations in cybersecurity, drawing from his rich experience in law enforcement, ethical hacking, and cyber resilience training. He discusses the pivotal role of human elements in cybersecurity, the evolving nature of cyber threats, and the synergy between AI systems and human expertise in fortifying cyber defenses. This interview promises to shed light on the intricacies of cybersecurity and the path forward in a rapidly changing digital landscape.
Can you start by talking about your background and your current role as VP of Cyber at Immersive Labs?
Before joining Immersive Labs, I spent seven years working with the Metropolitan Police Service in London. I worked as a police officer, intelligence analyst, and covert internet investigator, while also spending time in Scotland Yard’s money laundering unit. I also worked with the Commercial Crime Services and Federation Against Copyright Theft, investigating commercial crime, fraud, and serious organized crime groups. After leaving the police force, I trained private sector and government agencies in ethical hacking and open source intelligence, specializing in darknets and cryptocurrencies. This included three years of teaching at the GCHQ Cyber Summer School.
I joined Immersive Labs in 2018 and over the course of my tenure have helped customers identify, assess, recruit, develop and retain cybersecurity talent.
What are the flagship services that Immersive Labs provides?
We measure human performance in many facets of life, from sports to university exams and professional certifications. When it comes to cybersecurity, we have become adept at understanding and quantifying an individual’s ability in many areas. Still, there are blind spots that have often eluded precise measurement: how well a team works together and how we actually prove resiliency. Despite the growing lists of tools and technologies available to organizations today, they aren’t enough to build and prove resilience. Current approaches to people-centric cybersecurity aren’t up to the task of ensuring teams must have the right capabilities and make the right decisions when it counts.
Immersive Labs offers a new perspective — Cyber Workforce Resilience. Our platform allows organizations to continually assess, build, and prove the cyber capabilities of their cybersecurity teams with an entirely new level of rigor. We’re seeing cyber resilience increasingly become a Board and C-level priority and topic of conversation, with many left wondering, how do you know if you’re ready for a cyber attack? Immersive Labs helps answer that question. It pioneered a practical, hands-on approach to upskilling and measuring team and individual cyber defense capabilities, from technical skills to decision-making.
As industry certifications and traditional training methods fail to build and prove preparedness for attacks, Immersive Labs takes a novel approach. Immersive Labs’ four-step approach to resilience — exercise, benchmark, upskill and prove — aims to arm CISOs and security leaders with the data and confidence they need to protect organizations and address blind spots.
Most recently we introduced our Workforce Exercising solution that allows leaders to build and prove cyber resilience across all levels and roles. As employees complete exercises, the solution gives CISOs and other cyber leaders a color-coded dashboard featuring percentages of risk by security topic, such as social engineering, physical security, and phishing across teams and individuals. This provides a detailed breakdown of risk by team and individuals, pinpointing where more upskilling is needed. When organizations use the Immersive Labs Platform to upskill their people, they are able to view their overall resilience score against industry benchmarks and best practices, and see progress over time.
In your view, what are the most pressing cybersecurity challenges that organizations face today?
Human error continues to be a key driver behind most cyber incidents with eighty-two percent of global breaches involving some form of the human element, such as social attacks, errors, and misuse. With this, an ongoing challenge for organizations is really knowing that their team is ready for the next attack. And in today’s digital world, readiness needs to expand beyond the security team to include all employees within an organization, including senior leaders and C-Suite executives. Attackers target everyone within an organization so it’s imperative that all employees know how to spot a phishing email, understand the risk associated with shadow IT and know how to safely engage with and use AI and genAI powered tools.
Technology alone can’t solve the problem. Organizations need to shift their approach to a people-centric cybersecurity one that focuses on improving the cybersecurity capabilities of the entire workforce. This shift will require organizations to abandon traditional training tactics and instead invest in a culture that leverages effective people- centric approaches, such as live simulations, and progressive, career-path aligned online training and upskilling to bolster their cybersecurity teams’ capabilities. Many organizations have cyber resilience programs in place but they are failing to prove teams’ real-world cyber capabilities. To really see value from these programs, organizations will need to leverage benchmarking techniques to gather data around their people’s cyber capabilities. Armed with this information, leaders can build and implement a more effective cyber resilience strategy, one that prioritizes assessing, building, and proving cyber capabilities.
What strategies do you recommend for organizations to ensure that their cybersecurity teams are well-prepared and equipped to defend against cyber threats?
Right now we see organizations prioritizing two things when it comes to training and upskilling their security teams to defend against cyberattacks. The first is an overreliance on industry certifications particularly during the recruitment phase. However, these certifications do not mean candidates have the right expertise and experience. Although almost all (96%) organizations encourage IT and cybersecurity teams to gain industry certifications, only 32% of respondents agree that industry certifications are effective.
The second is organizations are not using the most effective upskilling approaches. Many use video training courses and external/vendor training, potentially because they are the most accessible and the least expensive; but these traditional training approaches are not the most effective. Recent research found that despite years of security awareness training, almost half of organizations say their employees would fall victim to a phishing email. This tells us that the trainings being deployed and executed on aren’t effectively preparing teams to defend against attacks.
To address the evolving threat landscape, organizations need to turn their attention to building and proving long-term cyber resilience: the ability of the workforce to adapt, respond, and recover from cybersecurity incidents, not merely the ability to detect and prevent them. This means moving beyond the typical, infrequent training methods and certifications that have become standard in the industry. Instead, cybersecurity training should take an always-on approach. This involves regular real-world exercising, which offers insight into the strengths and weaknesses of an organization and provides data for security leaders to act on. Unlike certifications and trainings, which often take months to develop, real-world exercises can keep up with the evolving threat landscape to ensure that teams can match the pace of the industry.
By utilizing the tangible data from these exercises, security leaders have the information they need to address problem-areas and build out their security strategies to offer the best coverage that meets the unique needs of their organization.
How do you see the relationship between continuous cybersecurity training and the ability to respond effectively to evolving threats?
A problem we frequently see with traditional cybersecurity trainings is that they are offered too infrequently and, as a result, can’t keep pace with attackers. Our research found that nearly 40% of organizations are running these trainings quarterly. But attackers move much quicker than this meaning trainings are based on attacker techniques that were active three months ago making them reactionary and ineffective. Security teams are left scrambling to understand attacks and are unsure of the best course of action.
With weekly real-world trainings, security teams can stay nimble and engaged in the threat landscape. This makes the recovery process far easier and allows teams to make accurate assessments of a situation and create a properly suited action plan from there rather than relying on a playbook.
How do you envision the collaboration between human cybersecurity experts and AI systems in the future of cyber defense?
Similar to many other industries, cybersecurity teams are looking for ways to leverage AI to streamline procedures and simplify day-to-day operations. Many people have grand ideas for the applications of AI, however, it is still important for organizations to consider the human element of these processes. We are still in the early stages of utilizing AI and genAI which means that the data and information being produced by the technology still needs to be verified by a security professional. There is certainly a place for AI in cybersecurity. However, it is our responsibility to ensure it is being used in the proper way.