A man walks by the Wall Street Bull by the New York Stock Exchange (NYSE) on Jan. 11, 2022, in New York City. (Photo by Spencer Platt/Getty Images)

IT security professionals at financial institutions are better-prepared than their peers in many other industries, but they are still not performing as well as they should be when responding to cyberattacks, according to a report released Wednesday.

Lack of speed in response to major hacks typically causes large enterprises overall to be “left exposed by a three-month gap in human cyber capabilities after threats break,” according to a release announcing the findings of the inaugural "Cyber Workforce Benchmark" report by Immersive Labs, which develops platforms to track and analyze the productivity of enterprise cyber professionals. (Log4j is an exception. Cybersecurity teams across the board were able to develop their cyber workers to respond within just two days to this recent pervasive threat.)

Rebecca McKeown, director of human science at Immersive Labs and a former military psychologist, points out that the gap this research discovered between threats breaking and people having the ability to defend against them illustrates the need for IT security teams at large organizations to respond faster.

“Without this, people will potentially be making decisions founded in unhelpful biases,” McKeown said in a prepared release announcing the report’s findings.

“Cybersecurity presents a unique skills development challenge for humans,” she added. “Responding to the hybrid real-world and digital battlespace, which is always changing, means continuous skills development is crucial to preventing skills decay and building cognitive agility.”

The report analyzed the responses of more than 35,000 cybersecurity professionals at 400 organizations in different industries worldwide, and found that in general, there was a “96-day lag in knowledge, skills and judgment” even after widespread cyberattacks were widely released and recognized.

The financial industry generally fared better than most other sectors reviewed in this research. For example, the study found that the infrastructure and transportation sectors were the slowest to respond to cyberattacks, taking an average of more than four months (137 days) to get their IT security staffers up to speed after a significant online threat comes to light.

Indeed, out of the 10 industries that the study reviewed, technology and financial services firms were the best-prepared for cyberattacks. Financial institutions tend to run an average of seven cyber exercises per year, while manufacturing, infrastructure and transportation companies typically run just one exercise annually, the study found.

Kevin Breen, director of cyber threat research at Immersive Labs, said that there is “often no ‘right’ response to decisions in a cyber crisis. Response teams face numerous "wicked problems — ones which sandwich people between a set of difficult outcomes with no clear-cut right answer.”

“The highly regulated, deeply connected, nature of financial institutions compounds this,” he added.

While the financial industry in general appears to be better off than other critical or oft-targeted sectors, the research also pointed out that the frequency of cyberattack exercises varies significantly across sectors. Despite their relative preparation, financial services teams still score below average performance compared with all the sectors reviewed when looking at all areas. And, in terms of cyber crisis responses, out of the top 10 worst decisions, five came from the financial services industry.

As Breen said: “With a multitude of stakeholders to manage and regulations to adhere to, it tends to become more about prioritization of the least-worst answers.”

“How do you strike the balance here and apply your resources and response priorities?” Breen added. “This all serves to make the decisions more complex.”

For example, in an attack that affects the financial firm’s immediate ability to service customers, but also presents a potential wider systemic risk to other banks, the IT security team and management may ask themselves what demands must be met first, and what needs to be done to stay compliant, according to Breen. The fact that it takes large enterprises in critical sectors — including financial services — so long to respond flies in the face of the expectation that these organizations will be able to remediate, remove or patch damaging malware and other attack vectors within 48 hours after they are discovered, as recommended by government cybersecurity bodies.

According to Breen, the best response is for financial institutions to exercise regularly in order to help cyber crisis response teams develop the ability “to step back and think about their choices in context.”

“Only by regularly refining decision making in simulations can you develop the cognitive agility necessary to respond effectively,” Breen said. “You don’t want to be learning the impact of these decisions when the lights are flashing for real. If you wait until then, decision-making is at the mercy of unhelpful biases.”