Any CISO, security team lead, or training manager will agree that constant learning is key to their teams keeping pace with the threat landscape.
But does the learning experience delivered by today’s training programs actually prepare professionals for real-world threats?
Teams, who already grapple with a shortage of skilled talent to support them with day-to-day tasks, face the increasingly-familiar struggle of finding time to train.
And by the time they consume said training material, new vulnerabilities and technologies come to light.
Finally, most technical training programs also fail to address a fundamental pillar of security:
Inspiring long-lasting behavioral change in the workplace.
It's beyond dispute: conventional cybersecurity “training” programs may have shaped the industry, but they are failing modern security teams.
Traditional training spurs images of “tick-the-box” compliance. It’s often viewed as mandatory and mundane, instead of an exciting opportunity to add career-enriching skills to a professional's repertoire.
An example of this is sending employees on week-long training courses that teach a set of specific skills:
Training isn’t personalized to attendees. So employees risk covering only some of their skill gaps and spending unnecessary time on skills they’re already competent in.
Staff “drink from a firehose” of information. There’s a large volume of content delivered within a short duration. Unless there is an opportunity to practically apply this content, employees will retain only a small percentage of theoretical knowledge and practical skills.
Integrating learning into the average cybersecurity professional’s working schedule is difficult. Content is usually delivered offsite, so employees need to coordinate time away from day-to-day responsibilities to train (instead of learning in the flow of their workday).
After attending this type of training, employees still leave the room with newly acquired skills that make them more productive at work, as they have new information to deploy.
But modern organizations need a talent-centric approach to cybersecurity training. One that inspires teams to adapt rapidly to emerging threats and work cross-functionally.
This is why Hack The Box champions a culture of lifelong upskilling in lieu of one-and-done training.
Upskilling is the next stage of skills development in cybersecurity. So, how does it differ from “training?”
Effective upskilling factors in more than just technical content. It balances the behavioral, psychological, and social dynamics of learning—and then applying—threat-landscape-connected skills in the workplace.
This builds the intrinsic motivation and mindset that employees need to continually grow. It respects the fact that cybersecurity is a team effort, and encourages better collaboration, mentoring, and knowledge sharing between teams.
For both teams and individual employees, upskilling turns learning into an enjoyable habit; one that is driven by employees, not by someone pushing them to do it.
This type of motivation is referred to as “intrinsic” and contrasts motivations that are “extrinsic” (like salary, bonuses, and other external rewards).
Whilst extrinsic motivators are useful, they only work in the short term. And like traditional training, the effects are soon lost.
Intrinsic motivation unlocked by upskilling, on the other hand, lasts longer and can turn frequent behaviors into permanent habits.
BJ Fogg's model for behavioral change states that when encouraging new behaviors in the workplace, employees must have:
The motivation to change their behavior.
The skills or ability to action the behavior.
A trigger or set of circumstances that call them to action.
If one of these elements is missing, behaviors are less likely to “stick” because there’s too much resistance. Hack The Box encourages long-lasting behavioral change by:
Inspiring intrinsic motivation within employees. Gamification rewards users for their efforts and encourages them to push their skills development. Access to a community of more than 2 million members, who are also upskilling in cyber, makes the journey more rewarding as learners find friends and mentors.
Providing the perfect level of difficulty and challenge. The grading of Machines, Academy Modules, and Challenges by difficulty match the level of challenge with an employee's current abilities. Guided learning environments also offer help to those who need it, without spoon-feeding answers and detracting from the learning experience.
Offering realistic, bite-sized learning in the flow of work. Traditional training is usually delivered over a period of days or in one go. HTB allows skills development to fit into, and around, the workday. This improves retention and reduces the “burden” of learning.
When Toyota set out to develop the skills of its infosec team, they used Dedicated Labs to make upskilling part of the work week.
Up to 15 team members from a variety of backgrounds and skill levels (including security engineers and red teamers) gathered for “CTF Fridays” to regularly sharpen their skills.
CTF Fridays even led to a “buddy system” in which team members mentored each other, identified knowledge gaps, and continued learning outside of the weekly event.
This is just one example of how HTB fosters intrinsic motivation and better collaboration between teams.
Within the HTB platform, hands-on Labs, Machines, and Challenges that simulate realistic environments are the foundation for technical content.
Gamification then serves to encourage users to continue learning. Real-time progress is measured across different domains with skill points, levels, flag submissions, and global rankings.
Progress made within a team or enterprise account is also transferable to community accounts. This incentivizes employees to level up in their own time, outside of a work or team environment.
The HTB Enterprise platform recently integrated Sherlocks, an environment to enhance digital forensics and incident response (DFIR) capabilities.
Combined with the release of guided defensive security learning environments on the HTB Academy, this signifies a shift toward fostering collaboration between offensive and defensive teams.
By breaking down traditional silos, HTB facilitates a purple team approach to cybersecurity. This helps offensive teams develop practical skills in defensive security while allowing blue teams to think like attackers and collaborate with offensive teams.
For example, earlier this year, an unauthenticated arbitrary file read vulnerability in Repetier Server (software for controlling 3D printers) was disclosed. In response to this vulnerability, we released content on our Dedicated Labs platform for both defensive and offensive teams:
For offensive teams: Repetitive showcases an unauthenticated arbitrary file read vulnerability in Repetier Server. The SQLite3 database file containing application credentials is exposed, and password reuse allows full administrative access to the Machine.
For defensive teams: Repetitive-D presents a realistic incident response challenge related to the offensive techniques used in the Repetitive Machine. Players must investigate an alert triggered by a suspicious file on a 3D printing server.
This 360 approach to cybersecurity upskilling promotes a comprehensive understanding of the threat landscape. It encourages professionals to think beyond their specific roles, and work together for a stronger security function.
HTB is a powerful skills development and assessment platform that builds and tests employees’ practical abilities. As shown in real-world use cases from our customers, however, using it to cultivate a culture of upskilling requires support from leadership and training managers.
It means moving away from the traditional approach of “one-and-done training” to a well-rounded, 360-degree approach to cybersecurity skills development.
Hack The Box provides a wide range of scenarios to keep your team’s skills sharp and up-to-date. Organizations like Toyota, NVISO, and RS2 are already using the platform to stay ahead of threats with hands-on skills and a platform for acquiring, retaining, and developing top-tier cyber talent. Talk to our team to learn more.
Author bio: Haris Pylarinos (ch4P), CEO and Founder, Hack The Box
Haris is a security expert with over 15 years of experience in the IT and cybersecurity industry. In 2017, he founded Hack The Box, a leading gamified cybersecurity upskilling, certification, and talent assessment platform that has grown to over two million global users.
Haris achieved 1st place in Panoptis 2017, the Greek National Cyber Defence Exercise, and has participated in cybersecurity competitions worldwide. Following his 1st place win, he helped the Greek Army design future cyber warfare exercises for 2018 and 2019.
Haris was also an EC-Council certified trainer who coached young professionals participating in the European Cybersecurity Challenge of 2017 and 2018. Feel free to connect with him on LinkedIn.