By 2027, cybersecurity training spend is expected to reach $10 billion, according to Cybercrime Magazine. But where is that spend going, and are buyers happy with their choices? When was the last time this industry took a great leap forward?
In the landscape of cybersecurity offerings, especially those that target the Security Operations Center (SOC), cyberskills training has failed to keep pace with the rest of the enterprise cloud.
Many enterprises are stuck with options that have not changed since the early 2000s, sending employees to expensive, off-premise training centers that can cost days or more of productivity and offering assessments that begin depreciating the moment the employee leaves the training center. We knew there had to be a better way.
Enter RangeForce, a cybersecurity simulation and skills analysis platform that has brought modern cloud deployment to the cybersecurity industry, providing organizations with scalable, metrics-based skills training.
We first met RangeForce in 2019, when security training was fresh on our minds for a few reasons. One, we had just completed our investment in Secure Code Warrior, a company focused on teaching developers to embed security in the code during the early stages of development. It got us thinking about training at the SOC and IT operations levels. Two, we had been developing the SecureX platform, which just entered general availability in June, as a unifying force around our security portfolio. SecureX simplifies the way people buy and interact with their security products. As a paradigm shift in a fragmented industry, SecureX would seem to lend itself well to a paradigm shift in training.
For us, the value proposition was clear — a solid product model combined with a world-class founding team. We knew we had to be part of this journey. That’s why this week, Cisco is excited to announce our investment in RangeForce.
How RangeForce is reimagining cyberskills training
I sat down with Taavi Must, Co-founder and CEO of RangeForce. In this interview, he shared RangeForce’s unique approach to training and why it is resonating with customers.
Upleveling the Blue Team
The RangeForce model was inspired years ago when CEO Taavi Must, together with President and COO Jaanus Kink, helped build the cyber range for Estonian Defense forces on which the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) runs exercises.
“From that process, we learned that defense is really, really hard,” Must says. “Even the top teams across NATO had a really hard time defending against real attacks, which they played there. And the other thing we discovered was this was a realistic way to learn how to defend against real attacks, or how to be a real defender.”
Must saw an industry flooded with hackers who are great at attacking vulnerable servers but not always great at defending against an attack. “We have to make sure that we have more defenders, who can understand how the attack works but also how to detect it and stop it,” he says.
“Here is where we turned the game around. Say you are in the role of the defender. We give you your server and you need to defend it. Now our bots are going to attack you,” he says. “No platform like that on the market can provide this kind of blue-team-oriented functionality with a learning experience at such scale. This is what makes us different.”
Applying continuous learning
In the past, company leaders typically sent a small team of security recruits to an intensive weekend of training in Florida with the hope that they learned something.
Today, organizations are shifting to a new model of continuous learning that’s more accessible to a wider range of the employee base, from IT operations and software developers, in addition to the core security team.
Under the RangeForce approach, a trainee might spend two or more hours with the learning modules every week and revisit different modules every month or every year to refresh and readdress new security issues, all at a workable pace.
By taking a continuous, steady approach, RangeForce has built a security training module network that, step by step, systematically builds a team’s skills in a process that can be managed and assessed quantitatively.
“You can’t always hire the security expert that you envision, so you need to make sure that you have a way to get people to the next level,” says Must. “Training must be a continuous process. That’s how forward-thinking security operation center managers look at it.”
Security training expanding beyond the SOC
No longer are only a few security professionals tasked with defending security protocols companywide. Now, the range of individuals who interact with that system at different touch points has expanded. By training these individuals, RangeForce aims to up-skill the entire organization.
“Security is not only the job of security people,” says Must. “Security starts with the teams who build systems and who operate systems. Think of firefighters, who are absolutely needed, but at that stage, it’s too late. So we’re seeing more mature companies start to allocate budget to train the people who actually build things to prevent problems from occurring in the first place.”
This new approach to cybersecurity training helps level-set the field when employees onboard at different skill levels while offsetting factors such as staff turnover, which can otherwise result in a heavy investment loss.
Finding a better way to assess skills and talent
Historically, recruiters have gauged candidate competency by the number of certifications they receive. The problem with many certifications, however, is that they assess knowledge via a multiple choice test versus real-world skills.
“At the end of the day, it’s very simple: Can you stop the attack?” asks Must. “We try to be very hands-on and realistic. There are many people who are very good at hands-on skills and are effective on the battlefield but might not have an understanding of terms or theory.”
This hands-on approach not only validates a security professional’s skills or knowledge, but in the long-term, can also help recruiters identify new candidates from other related teams that may have transferable security skills.
“There may be software developers or operations people who are not in security but have a strong background in IT yet show great results in security and can be quickly recruited,” he notes.
Looking ahead: Changing the way people think about cyberskills
Motivational speaker and author Zig Ziglar once said, “You don’t build a business — you build people and then people build the business.”
Must has always held this advice close to heart as he looked to take the business from a small startup in Estonia to the global security community. He’s grateful for having a solid team of co-founders that has kept the RangeForce product model on course.
“As a leader, you can’t possibly do this alone,” he says. “You need co-founders and a great team.”
When I asked Must about his goals for RangeForce, he talked about changing the way people think about cyberskills training — no longer seeing it as an extraordinary challenge but, rather, similar to how we think about safety or engineering training.
On a more personal level, he also hopes RangeForce creates lasting impact in shaping the future generations of cybersecurity experts.
“Maybe 10 years from now, when people ask the experts how they got their start, they will note that their training began with RangeForce. That is my hope.”
With more than 30 employees, 100 customers, 200+ training modules and 10 cyber exercises, RangeForce is well on its way towards that vision.