Cybersecurity Training. PHOTO: Cybercrime Magazine.

Hosted Cyber Ranges Prove Their ROI To CISOs

Remote browser-based access to security skills development

David Braue

Melbourne, Australia – May 13, 2021

The mission-critical nature of operational technology (OT) and industrial control systems (ICS) has put new pressure on CISOs, who face challenges extending conventional red-teaming and live testing practices to networks where staff can hardly be left to poke and prod for vulnerabilities.

And while virtual “cyber ranges” long ago proved their worth as a place where cybersecurity staff can test network security and build their skills in the process — establishing them has typically required too many resources for most companies to contemplate.

“It’s quite complicated,” Rupert Collier, EMEA/APAC vice president of sales at RangeForce told Cybercrime Magazine, noting that companies typically dedicate an entire group of security specialists to the task.

“Most people within an organization really do have a day job to complete — and to take them away from that and put them on a project that involves a huge amount of technical expertise and a huge amount of experience is a big ask.”

“For a CISO to justify five or ten people working over the course of a few months to create, set up, and maintain a cyber range is a significant investment — not just financially, but in terms of people’s time.”

Simon Hodgkinson, a 35-year cybersecurity veteran who spent four years as global CISO with petroleum giant bp, lived those challenges in a high-pressure environment with no room for error — and it made him such a big fan of cyber ranges that he recently joined RangeForce as an advisory board member.

Cyber ranges “are a good opportunity to test your best practices, your workflows and your incident response playbooks,” he explained, “in a completely separated, siloed environment where you’re not going to be able to do any damage if you make a mistake.”

By hosting those training environments in a virtual environment accessible from anywhere, he said, cloud-hosted cyber ranges are proving their worth in helping develop workers’ expertise in securing IT, OT and ICS environments.

They also help meet increasingly onerous governance requirements that are being enforced at the highest levels of the organization.

“The CISO is no longer buried in IT infrastructure,” he said. “For forward learning organizations, it’s now a peer to the CIOs, CTOs, CDOs and CEOs of the world — and the job of the CISO now is really about ensuring that we get access to capability.”

Yet with rapidly-digitizing businesses putting immense pressure on companies to secure a fast-growing footprint, he said, “the ways we’ve done that in the past are no longer scalable.”

As a result, he said, “cyber ranges have become a really important tool in the arsenal to make sure that organizations have access to the right capability, with the right technical expertise, at the right time.”

Unifying learning across domains

The consequences of attacks on ICS and OT networks have frequently been writ large in the headlines, with high-profile compromises of the Ukrainian power grid and Iranian nuclear facilities reflecting cybercriminals’ continual efforts to breach network security with real-world consequences.

Yet protecting these networks “is a really specialist area,” Hodgkinson said, “and it’s an area where the engineering community and cybersecurity community have never really come together to work as one — and that’s what we need.”

In this sense, he added, cyber ranges “can be a really powerful aspect of people’s capability development, blending skill sets together to create a capability to manage the ICS environment — and that requires us to be able to provide the latest training and awareness capability to the engineering community, and cross-pollinate that knowledge.”

As well as providing a simulated test environment for security teams, cyber ranges also enable individual employees to walk through cyberattack scenarios in their own time — providing a “combination learning” capability that couldn’t easily be enabled in the past.

Self-paced learning is critical to ensuring security across every part of the organization, Hodgkinson noted: “As digital organizations increasingly adopt new methodologies like Agile and DevOps and start to insource capabilities, we need to make sure that secure development practices are there — so we need that self-paced training throughout the organization, not just in cyber teams.”

For CISOs working to maintain the integrity of increasingly complex environments in the new COVID normal, Collier — citing exploding interest in virtual cyber range environments —believes a growing number of CISOs now see a formal cyber range capability as a critical part of security risk management moving forward.

Remote, browser-based access to cloud-hosted cyber ranges “helps enormously by being able to deliver the same sort of exercises — but through the browser, rather than on-premise. The whole concept of being able to democratize the idea of cybersecurity training is a very compelling message for a lot of CISOs and SOC team leaders around the world.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Sponsored by RangeForce

Access hands-on cybersecurity training for you and your team with RangeForce Battle Skills.RangeForce hosts hundreds of interactive training modules. Each simulation-based lesson runs in a virtual environment and can be accessed on-demand from the RangeForce Battle Skills platform.

Put real tools and concepts into practice while building the skills needed to defend against the latest threats. Build custom training plans for you and your team that align to your organization’s needs.