The Safety Net
Haris Pylarinos, CEO at Hack The Box says its time for businesses to change the game in cyber upskilling and recruitment.
Ineffective corporate training is a major problem. Despite the global L&D market approaching $360 billion, it’s widely believed most spend is wasted.
A variety of reasons are cited for this, from unengaging content and unengaged staff to irrelevant skills programmes, a lack of purpose or failure to apply and retain learning. Poor skills development costs money, frustrates employees, impacts talent attraction and retention, and can even hold back business growth. But, while far from ideal, it generally doesn’t rise to the level of business critical in most cases.
There is one area where this can no longer be said, however – cybersecurity.
Organisations and corporate leaders now recognise that cyber risk is a critical business priority. But they’re also keenly aware of the massive global cyber talent shortage – 3.5 million by some accounts – and how a lack of skills is leaving them vulnerable to attack.
For most business leaders, cyber upskilling is now an urgent issue and ineffective training is not an option. So, they’re increasingly looking for innovative ways to engage and effectively upskill their security teams, and avoid the training waste trap.
That’s where ‘Capture The Flag’ (CTF) games can help.
WTF are CTFs!?
Long played for bragging rights by the underground hacker community, CTFs are online competitions where teams or individuals test their cyber skills in a race to solve challenges and capture the ‘flag’ – a secret code that unlocks points or rewards.
From DEF CON in Las Vegas, which is the world’s biggest and oldest with millions of dollars up for grabs, to our very own annual event – which attracted 12,000+ players from 181 different countries earlier this summer, and everything in between, CTFs are a big deal in the hacker world.
And now they’re moving into the corporate world, increasingly being used by businesses as a more engaging and effective way of delivering cyber upskilling and training. And beyond the major upskilling benefits, CTFs are also a highly useful tool to optimise the cyber talent recruitment process for businesses.
CTFs for recruitment
CTF challenges act as an ideal screening tool for cyber talent recruiters.
They can be very useful in the initial stages of an application as a way of reducing the pool of candidates. CTFs empower hiring managers to better assess a candidate’s technical proficiency and determine how they perform under pressure in a hands-on situation. Good CTF challenges mirror the kinds of problems that security teams are likely to encounter in their daily working lives, so these challenges are the closest simulation to real-life hacking scenarios.
CTFs are not only a fantastic resource for businesses, but also for the candidates themselves to strengthen their resume. CTFs are happening all the time in the non-professional cyber world and are open to players at all skill levels. So entering these competitions is a great way for security professionals, on the hunt for new roles, to demonstrate their proactivity and eagerness to develop their skillset.
It’s not about winning (although that is always nice), it’s about how the learning experience can help them gain hacking experience, test their abilities and hone their technical skills. This learning can be shared with employers in the form of walkthroughs, and the added bonus is that hiring managers will be impressed by this drive in candidates.
CTFs for upskilling
A poll of UK employees, commissioned by City & Guilds Group in 2019, found that 69% of respondents complained that training content was not always exciting or engaging. This is just one report of many that point to a bored and disinterested global workforce when it comes to corporate training. It’s clear the traditional system is broken and needs a new approach.
For cybersecurity upskilling, CTFs certainly provide that new approach. That’s because, by design, they offer a fun, gamified, ‘learn by doing’ format conducted in a safe environment to test and sharpen skills, while learning whole new ones. The best CTFs build realistic scenarios that feature the latest attack methods and techniques being used by criminal hackers, so security teams can be sure they’re learning only the most relevant skills to their role.
CTFs promote collaboration and team building too. Not only is this a more effective way to learn, but it also helps to foster a more positive ‘we’re all in this together’ working environment, which is vital for embedding an organisation-wide security culture.
Most importantly, CTFs are the type of training that staff actually look forward to, rather than skipping or switching off, and many even get competitive in the race to learn.
Toyota is a great example that showcases the benefits of using CTFs as part of a company’s internal training programme. The car manufacturer was looking for ways to make their cybersecurity training more effective and hands-on, so they ran a series of trial competitions for their security team and invited employees from other departments. These special events helped dramatically enhance training engagement levels. Since implementing the initiative, the security team saw a 150% increase in team learning participation. Those who participated reported that the challenges improved their knowledge and skill set within 11 months.
The biggest takeaway has been that staff has learned how to apply that knowledge to real-world situations. In fact, it was such a success that the security team now runs a company-wide CTF every Friday afternoon. Toyota also found that talent recruitment efforts were strengthened, as cutting-edge training and development initiatives like this were seen as an attractive tangible benefit that candidates looked for.
The cyber skills and effective training gaps demonstrate the urgent need for businesses to shake up their training programmes. The speed, volume and sophistication of attacks are only increasing, so security leaders need to constantly find new ways to keep pace with the criminals. This means ensuring their teams are equipped with the skills to deal with the ever-evolving methods and techniques of bad actors. CTFs are one way in which real gains can be achieved in keeping skills sharp, while also finding only the best performing new talent to strengthen security teams.