Focussed tools, fixing specific problems, have been an accepted cybersecurity concept since anti-virus began mitigating its namesake.
The same is true, even today. Focus is everything when readying a team to defend your organization.
Developing the right skills, at the right time, is one element. However, just as important, is doing so in a way which reflects the needs and culture of the part of the security team being upskilled.
For example, you shouldn’t upskill someone in SecDevOps in the same way as a SOC Analyst. One can learn methodically in a way that reflects dev cycles. The other doesn’t have that luxury.
This is because modern security talent exists in teams. Each has their own code of conduct, nomenclature, ways of working and culture dictated by the roles they do and responsibilities they have.
This doesn’t mean they have to stay in these silos, far from it. However, it does mean that for skills development to be relevant, it needs to simulate the circumstances of their day job.
It’s why we dedicate ourselves to defensive teams. We understand that the people they are, and the conditions they work under, dictates the need for practical, tool-specific, structured team exercising and upskilling. Simulating a bad day at the office in detail is important because, for a SOC team, most days are a bad day at the office.
Put bluntly, learning experiences should be about value, not volume. If we’re to build vital human capabilities these experiences need to be hyper relevant and focussed. Spend less time just completing labs and more time exercising as a team. Perhaps more so than any other security team member, defensive team time is at a premium, so upskilling must present a tangible return against risk.
Borrowing an example everyone might understand, Amazon might have the larger library of TV and movies, but it’s Netflix’s value in delivering relevant, captivating, content that sees it as the go-to streaming platform worldwide.
Catch-all platforms don’t understand this. Lacking the time and resources to empathise with specific users, they try to convince customers that simply providing an endless stream of labs is better.
These non-specialist approaches miss the mark. Building a fragmented skillset - they only serve to further reinforce the idea that human capabilities are peripheral to risk and expensive. A ‘nice to have’ with an often disappointing return against investment.
It is not readiness, merely the chance of creating a skilled individual with a hero's chance of disrupting one part of one attack chain.
From our standpoint readiness is a well-meshed team capable of interweaving technical skills with communication, clear task-allocation and leadership. It is incident responders seamlessly running processes. It is teammates joking, not fighting, when someone accidentally deletes a firewall rule. It is the junior SOC Analyst able to speak up in an attack and pull the team out of a rabbit hole.
This might be a very specific view of how to build readiness, but that’s exactly the point. It must be.