In my recent posts, I have discussed the path to “getting there.” Getting Certified. Getting a Cybersecurity degree that lands your target job. Evaluating and getting products and technologies to help strive for more comprehensive security. So now what? What’s missing?
I hinted at it, and Debbie Gordon brought it up on a comment before citing “Simulation as a standard for Cybersecurity” … Practical application, practice, and proficiency are what’s missing from the previous topics. As I’ve discussed, getting the piece of paper saying you did well in passing a course, class, test, or memorizing frameworks and theories may work to get the interview. Still, if that is the only arrow in your quiver, all the good intentions will not satisfy landing the role. “Doing” is the best way to hone proficiency. But resume bullets of positions that fit the “doing” category alone may not be enough.
In the early days of the CMMI (Capability Maturity Model Integration), I had to remind my clients that “just because you have a very mature process (complete with documentation and continuous process improvement), does not mean it is “effective,” or, for that matter, even “good.” The same goes for citing your past work at an employer. While this shows “time in grade” it is, by no means, an indicator of proficiency.
Proficiency develops through “live-fire events.” Events that may come from left field and have an urgency for which to address. The challenge here is that the limited opportunities to respond to an event or situation that requires grace under fire come infrequently and sporadic in many corporate environments. Much of the time, a responder or security professional will be looking at potential Indications of Compromises (IoCs) and running down rat holes. This activity is much different from quickly and efficiently employing a broad range of tools, interacting with many other departments, stakeholders, or cordoning off malware and bad actors. Preparedness from daily “run and maintain” tasks is where simulation helps keep the responders sharp. Simulation Standards apply to operational staff as well as job seekers. Skills atrophy is a real degradation of proficiency driven through a lack of (or opportunity to) practice. If the team is going through the motion of looking down rat holes for IoCs, it can be difficult to quickly swing into full alert mode when an actual event occurs.
For the job seeker, to add weight to the new degree or certification, I believe there is a real need to augment the experience, credentials, and formal study with simulation standards (and scoring). Being a “Missouri Boy,” I have lived my life insisting that folks don’t just “tell me how good they are” but that they “show me.” That is what simulation exercises will do. It will prove that not only will your potential hire, team member, or entire team be prepared to execute, but the simulation will also benchmark and score efficiency and effectiveness.
Creating “muscle memory” is what regular simulation can accommodate. I will use a winter driving example. An inexperienced driver (or one that has not driven in the winter for a long time) may be taken off guard by hitting a patch of ice and losing traction. Contrarily, the season winter driver instinctively knows how to take corrective action and navigate the condition with ease. This “muscle memory” principle is the same for the cybersecurity teams as they go from the routine daily activities to stepping up to an actual event. By leveraging regular simulation exercises in a “live fire” environment, teams will gel under pressure and develop a “second nature” rhythm and cadence to their risk mitigation, remediation “dance” It comes down to the desired preparedness. Would you rather your Cybersecurity and IR teams be watching their feet doing the Box step or gliding across the floor doing the tango?
But you may be wondering if I have created a catch 22 here. I stated that “real events are few and far between,” then I said simulations should be “live fire” events. It is recommended, and, almost necessary, to look to third parties to help with the simulation standards and run a safe, isolated, real environment.
An organization should look towards a Cyber Range to facilitate the environment, attack scenarios, and proficiency measurement. Unfortunately, this “Cyber Range” space is defined differently by different companies. It doesn’t mean the same thing and does not truly develop the desired team dynamics or proficiency.
Years ago, when MSSPs were cropping up on the scene, there was a D.C. based company, RipTech, that shown brightly very early on. RipTech was a Managed SOC to which all other SOC providers aspired. Their secret was that they delivered what the client needed and expected. I have found a “RipTech like” provider in the emerging Cyber Range space, one that sets the bar for what a real Cyber Range, offering Simulation as a Standard, should be. If you’re intrigued by the concept of increasing proficiency, effectiveness, and developing repeatable “muscle memory” in your teams, I would be happy to assist.
Please send me a note on LinkedIn to discuss simulation options. I will be glad to help define success criteria, custom needs, and desired metrics while making introductions for your organization to the “cream of the (Cyber Range) crop.”