Cybersecurity Training. PHOTO: Cybercrime Magazine.

CISOs Look To Bake Simulation Into Cyber Defense

Cloud Range CEO Debbie Gordon explains how

David Braue

Melbourne, Australia – Aug.5, 2022

For all the new trends in cyber attacks and security defenses that CISOs have faced in recent years, it’s easy to forget that security, like so many business processes, is an inherently human process — run by humans, managed by humans, protecting humans.

And that, as any CISO knows, means it is prone to mistakes or shortcomings that must be anticipated and managed — but despite this, Debbie Gordon has been seeing some encouraging signs in recent years.

“In the last four years, I have been pleasantly surprised when we’re talking to CISOs and security leaders in general [that] they do acknowledge that things aren’t perfect,” Gordon, who is cofounder and CEO of cyber training organization Cloud Range, told Cybercrime Magazine.

“There’s been an evolution from people who think that technology solves all problems, to people who acknowledge that there are going to be problems,” she explained.

“The bad guys are going to be one step ahead — as we hear about in the news every day — and [CISOs] have to acknowledge that everything is not going to be secure, that they have to train people to make them aware, and that they really have to do as much as they can to stay ahead of what be yet to come.”

Cybercrime Radio: Cybersecurity Training Market Heats Up

How to prepare your team

That training is the focus of the latest venture from Gordon, a serial entrepreneur who in 2018 debuted the company as a way of improving companies’ access to security simulation training designed to help security teams learn how to fight cyber attacks before they’re faced with the need to respond to a mission-critical breach.

It’s a market that has heated up steadily since, with the breach and attack simulation (BAS) tools market, as Gartner calls it, expanding rapidly as new ventures productize methods that used to be the purview of cybersecurity specialists using esoteric command-line tools.

The company’s focus, she explained, is “helping companies be more proactive and go through very high-fidelity training exercises to prepare their teams for what’s to come.”

“People are only as good as the experience they have.”

Building simulation into security culture

Amidst an intensifying cybercrime climate — cybercrime will cost the world $10.5 trillion annually by 2025, Cybersecurity Ventures has predicted  — CISOs are increasingly tapping simulation tools to test their staff across a broad range of scenarios, including the ransomware nightmares that have created problems for businesses and governments alike.

“Regardless of how a company is hit with ransomware, they have to not only have a plan of what to do and what decisions to make,” Gordon said, “but they have to practice that plan — because knowing what to do and [knowing] how to do it are two very different things.”

Dusty playbooks only have so much value, and are quite often found to be deficient at the worst possible time after they’re pulled out for guidance during an incident response.

Apart from the technical aspects involved in remediating an attack, Gordon said, businesses also need to be aware of the implications of those responses on everyday business functioning.

“If you decide to shut down a division of the company, what are the impacts of that?” she explained. “There are a lot of ancillary ramifications of the decisions they make, and a lot of times companies don’t think about these things — and how far those decisions have to go beyond just ‘do we pay the ransom?’”

Maintaining those broader conversations internally requires cybersecurity remediation to be inculcated into the company culture  — and in support of this, Gordon said, simulation training “has become an integral part of security programs.”

“We work with companies that do dozens of different types of attack scenarios every year,” she explained.

“They’re focusing on different roles and teams — whether it’s SOC or incident response or forensics — and they just know they have to be proactive, and give people the experience they need.”

“It creates muscle memory and brings up their confidence, so that when they do go back to their production environment, they’re measurably that much more effective.”

“We’re ultimately able to measure a team’s detection and response time and show improvements over time — and for security leaders, that’s an indicator of a decreased risk.”

Yet even with the right access to the right tools, CISOs are aware that there’s more to improving cyber defenses than just running simulations.

Maintaining a fully proactive cyber culture requires addressing two major elements, she said.

The first is to make the culture of a company secure so that everybody in the company can be aware of security.

The second, which particularly falls under CISOs’ direct control, is the culture within the cybersecurity workforce — of which regular simulations are an increasingly important part.

“That’s something that a lot of attention is being paid to now,” Gordon said. “When leaders are looking at people, process, and technology as a whole versus just technology, or just technology and processes, they’re a lot more effective.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by Cloud Range

Cloud Range exists to ensure that our customers and partners build and maintain a successful cyber range and simulation program within their organizations.

Cloud Range Cyber is led by a leading group of security executives and engineers who identified the need for military-grade simulation training for enterprise security teams. By developing a flexible training solution, enterprise security teams and MSSPs can overcome the skills gap while ensuring that their teams are truly prepared for cyber combat.

Our mission is to make simulation training a standard part of cybersecurity certifications and education, no different than other professions that require hands-on skills development before becoming a functioning practitioner. This allows companies to ensure that their security teams have the opportunity to train, practice, and implement security defense techniques in their organizations before they happen.