While catching up on my reading, I landed on Gartner’s annual Top 10 Strategic Technology Trends report (2020 edition) where this prediction caught my eye  –

“By 2022, 35% of large businesses in the training and simulation industry will evaluate and adopt immersive solutions, up from less than 1% in 2019.”

At first glance, this isn’t super surprising. The aviation industry has long used such simulation solutions, while, recently, the medical industry has also adopted such approaches. Doctors can now complete an intricate procedure in a simulator before cutting open a patient. I was very glad to hear about this, in fact, I look for the capability before I choose a hospital.

But what about in our cybersecurity industry? Experiential, simulation-based training is crucial and should be widely adopted in cybersecurity, yet we have barely scratched the surface. Moreover, there’s a scarcity of company-delivered annual training programs for cybersecurity teams almost everywhere.

Who has a training program?

I recently spoke to a room of 80+ cybersecurity executives and managers and asked them, “How many folks have end-user cybersecurity awareness training programs in place?” The answer was almost 100%. Close to 80 companies have systems and programs in place to regularly train end-users to do things like be careful not to click on suspicious emails.

Next, I asked, “How many companies have cybersecurity training programs in place to train their cybersecurity teams?” One hand started up, then retreated. As the day wore on, the more I thought about that result, the more troubled I became.

We work in an industry where cyberattacks occur at alarmingly increasing rates every year. The success of those attacks also grows each year. New variations on attack methodologies occur annually, while old attack methodologies continue to have success (SQL injection, cross scripting, etc.). Yet most companies do not have systematic training programs in place to stop them. At the same time, companies spend a combined $66 billion on technology (Gartner’s number in 2019), and many send their employees to SANS, ISC2, and other training programs. But few if any managers or CISOs actually have a training plan that benchmarks their team’s skill level, puts a plan in place to train those employees (that meets the needs and roles of the company), and tracks that training and assesses the skills learned.

It’s becoming glaringly obvious that one of the major reasons more successful attacks occur each year is because companies are spending way too much on technology without improving the skills of their people.

Military Leads The Way

Gartner’s report states,

“This use case (simulation-based training) includes training for mission-critical tasks and advanced operational skills.”

That sure sounds like what we do in cybersecurity. So where does this training exist today? The military leads the way here. Perpetually focused on operation training and simulation, the military has multiple Cyber Range training areas, one of the first being NATO’s Cyber Range (https://ccdcoe.org/) in Tallinn Estonia. This range focuses on blue team exercises for protecting critical infrastructure from attack. Estonia was chosen because they see these attacks frequently from their neighbor to the east.

Cyber ranges like NATO’s are complex hardware intensive systems that need significant setup and management to work successfully. It is not something most companies can afford to build or manage. Most if not all cyber ranges also lack the training aspect needed to adequately develop security team member skills. A comprehensive blue team exercise within a range is typically more a test of what skills the team has and how they will do working together. If a team member does not have the ability to take an action to contain an attack, for example, how to use Nmap to enumerate SSH servers and identify a server supporting an insecure authentication method, they are not going to learn them during their time working on the range. More likely, they are just going to do poorly.

So cyber ranges like NATOs give us a good start, but we need to overlay training into the equation to get to Gartner’s prediction that experiential solutions will be more widely adopted. What should such training look like?

Doing the actual work

Clearly, the entire approach must include a hands-on simulation component. In other words, as you work through a training class (like the Nmap training example above) you should do the actual work required at each step, in the cyber range. This means, for example; not only learning what Nmap script should be used, but actually running it to scan the SSH servers to find accepted authentication methods. Then identify the IP address of the SSH server improperly accepting password authentication, and access the server you identified and reconfigure it to deny password authentication, and finally restart the server and re-scanning it with Nmap to verify your fix worked.

A lot of smart people including Gartner think this is where the entire training industry is going. Such experiences are far different and much more effective than sitting in a class and having those steps explained in slides, or watching a recording of the lesson in an online training program. By actually doing the work, the user learns through actions and achieves a significantly higher retention rate.

Driving home skills 

There are additional capabilities that need to be included to be experiential. The training needs to be relevant to the learner – based on their roles and the operational world they work in. In the cybersecurity world, the training must not only include basic lessons but also lessons covering the latest vulnerabilities, attack methods, and malware types.

By making the training platform gamified it becomes something the learner enjoys and wants to do more of, thus, increasing retention. By showing the learner their progress and accomplishments and assisting when the learner becomes stuck they also avoid loss of interest.

Ideally, training relies on micro-learning — short, specific lessons that drive home skills. Micro-learning is a proven way to improve retention. Everywhere, but especially in cybersecurity, it is much easier to fit short (an hour or less) lessons in daily than sit in a class for a day, or watch a three-hour video.

Finally, to help fulfill the current void that there is “no such thing as an internal company cybersecurity training program,” the experiential learning system must include the ability to build training programs, assess the skills and improvements of each team member, and report on the entire process.

Already, the new class of cyber skills training products are offering experiential, simulation-based training that teaches new cybersecurity employees the skills needed to be effective. Cyber pros get a place to learn about and practice with the latest vulnerabilities and attacks. Security teams get purple/blue team exercises where members must work together to stop real cyberattacks in a cyber range. Security leaders get the planning and reporting capabilities required to create effective, metrics-driven security training programs for their teams.

I don’t think I’m alone here. My belief is that a year from now when I return to speak at the same event, I’ll ask those same questions and see a lot more hands in the air. With real operational training for cybersecurity teams available, not only will the hands go up but those continuously climbing malware and cyberattack success charts might finally start to fall.

More on the same topic: