Gartner has predicted the use of cyber ranges by large organizations to rise from 1% to 15% by 2022. Cyber ranging is an increasingly well appreciated way of boosting cyber dexterity, cyber posture and resilience for nations and organizations alike, since cyber ranging effectively addresses the 3 dimensions of cyber security: people, processes and technologies. This translates into the following number of macro use-cases:
- research/testing/analysis,
- training and learning,
- compliance,
- assessment of people/processes/technologies,
- proof of concept.
As people are considered the ultimate human firewall against cyber threats, training has been given great consideration. Traditional approaches to cybersecurity training are focused on skills transfer against given subject areas. They lead to degrees and qualifications: there is a big market with huge demand and supply, but the worldwide number of jobs to be filled still greatly exceeds the number of candidates. Also, there is mounting doubt among employers whether such candidates, whether graduated and/or certified, are really fit for the job and able to hit the ground running. In some countries, such as those in the FVEY group, there are extensive re-skilling programmes under STEM education, to support the transition of active service men and women to civilian roles.
It is easy to get entangled in the intellectual discussion, as old as the e-learning revolution, about competencies, curricula and syllabi. From our many conversations with corporate and government clients, it seems very clear that we should care about two questions:
- do deep-dive experiences better prepare organizations to respond when facing an incident?
- equally importantly – can that be proven? And how?
A further element of concern for close consideration is about the actual mix of hard vs. soft skills, and that of knowledge, skills and abilities. We have had great discussions in the USA about this: how do we secure that the cross-departmental Cyber Security Force of our organization can deal with an incident or a cyber threat in a both timely and effective manner? Coordination and collaboration attitudes and processes are as valuable as technical hands-on defense or counter-defense capabilities and viceversa. Technical capability though lags behind.