Rethinking how we learn security

A couple of years ago, I wrote an article on the relative lack of investor and startup interest in addressing a crucial CISO priority—the preparedness of employees on the security team. Considering what seems to be a steady stream of news about breaches, what can be done to encourage more people to get into cybersecurity and how we can better prepare cyber pros to succeed?

In my own experience, I’ve read white papers and manuals, taken bootcamps and practice tests, and slogged through hours of recorded content. It’s a lot to process, and mostly dependent on the quality of the instructor or delivery format. In this evolving threat environment, content is also outdated as soon as it’s published. Also, training security professionals are focused on certifications, not necessarily practical outcomes.

There’s also an organizational problem: Who in an enterprise owns cyber readiness? HR? A Chief Learning Officer? The CISO? If we’re going to find, hire, and retain tomorrow’s cyber workforce, we must rethink how we reach and prepare people for their careers, so they can continuously learn and stay current on the threats and the tools in front of them. With up to 2 million unfilled cyber roles, this is really a societal challenge.

One innovator that is addressing this is Boulder, Colorado-based Circadence Corporation. I met their CEO, Mike Moniz, at a cyber conference in DC. After one conversation, and upon seeing their “Project Ares®” cyber learning platform, I knew they were on to something. Since then, Circadence and Microsoft have built a very promising partnership to help Circadence scale globally to reach and train more of tomorrow’s cyber workforce. They’re doing this by using Azure infrastructure and platform services; and enjoy the partnership and help.

Circadence focuses on cybersecurity learning and readiness. They build and run immersive, gamified cyber ranges that create a real-time cyber learning environment. In particular is Project Ares, which supports all security proficiency levels of an individual or team—from early career starters to seasoned cyber professionals—for enterprise, government, and academic organizations. Artificial intelligence (AI) powers the delivery of gamified training exercises in battle room and mission virtual machine environments based on actual cyberattack scenarios happening today—such as ransomware, advanced persistent threats, and attacks against industrial control systems.

I signed up for a Circadence account and gave it a shot. I’m not a gamer, but I was really impressed with the UI. Was Circadence actually trying to make learning fun? Project Ares is rooted in proven learning theories and cognitive research. They used resources like Bloom’s Taxonomy of Learning and educational concepts like “reinforcement learning” and “cognitive disfluency” (interrupting the flow of learning with the inclusion of testing, questionnaires, and polls) to match accepted learning concepts with gamified experiences. This isn’t just about making a video game for cyber. And it isn’t just “fun” but informative, educational, practical, and equally innovative without being intimidating.

The learning scenarios are immersive and address varied learning styles, which are two critical design points for maintaining player engagement and lengthening attention span. The platform draws learners across the stages of Bloom’s Taxonomy by:

  • Starting with explanations of techniques, skills, or adversary tactics.
  • Progressing through application of those skills in controlled battle rooms.
  • Arriving at the synthesis of skills and critical thinking to analyze, evaluate, and take actions in an emulated, high-fidelity network against actual malware and emulated threat actors.

Project Ares provides multiple scenarios along a work-role learning path, where you’re required to not only read about cybersecurity, but also must evaluate events in a true network and generate options to achieve objectives. The current catalog contains over 30 cyber games, battle rooms, and missions that provide exposure and experience across many of NIST’s National Initiative on Cybersecurity Education (NICE) work roles in a modern, engaging way.

To learn more about security team training on gamified cyber security ranges in Azure, I sat down with Keenan Skelly, Vice President of Global Partnerships and Security Evangelist. You can watch my interview with Keenan.

This was a great overview of a partner thinking ahead in a creative way to address a major problem in cyber. I encourage anyone interested in improving their own cyber skills, or their team’s skills, to look at gamified learning. Given how younger people interact with IT, it’ll be increasingly important in how we attract them to the industry.

In my next post, I’ll dive deeper into practical learning and defender exercises. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.