In 1885, a psychologist named Hermann Ebbinghaus published his theory on education retention called the Forgetting Curve. His research theorizes that most people forget up to 80 percent of what they’ve learned within 48 hour, unless the information is reviewed time and again. With Deloitte reporting that 67 percent of employees believe their careers require them to receive regular skills updates, corporate trainers are constantly creating workarounds to minimize its impact. Given the validity of the Forgetting Curve, why do we still train SOC staff using quarterly classroom courses or plan bi-yearly tabletop exercises if they’re not effective?
Certainly, there was a time when training SOC teams using classroom sessions, tabletops, in-person demonstrations, webinars, and dense tomes of instruction manuals sufficed. But the world has changed. Networks are exponentially more complex, attackers more sophisticated, and constantly shifting risk vectors have fundamentally changed the nature of cyberdefense. These methods -- “Training 1.0,” -- have provided diminishing returns to the point where using them on their own has become a waste of time and resources.
So we responded, evolved, and came up with Training 2.0. With v2.0 we added essential hands-on components. We added sandbox environments and the ability to look at snapshots of a network during and after an attack. We practiced forensics, performed root cause analysis, and viewed log files. We created capture-the-flag challenges to hone pen-testing skills and added “what-if” scenarios requiring trainees to write simple scripts. Some trainers used gamified environments where trainees could earn badges, credits and leaderboard status.
These improvements have greatly helped to develop competency, but they don’t prepare SOC teams for the experience of a real-world cyberattack. Investigating a snapshot of a network or running code in a sandbox is great, but it doesn't capture the stress of a live attack. Modern cyber defense requires SOC analysts to detect, investigate and respond to an attack as it unfolds over the course of several hours, under severe time pressure. Furthermore, without consistent practice, the tools and procedures required for rapid response will be quickly forgotten.
So, given the growing need to train and retain competent cybersecurity professionals, employers sought a third option. “Training 3.0” features a new training modality - Experiential Learning, which is exactly what it sounds like -- learning by doing, a.k.a., hands-on training. Using a platform called a cyber range, SOC teams respond to simulated cyberattacks that expose them to the reality of an escalating cyberattack and all the factors that might impact their ability to perform in the moment.
Experiential learning techniques such as simulated phishing attacks have become the norm for end-user awareness training, but most companies have been slow to adopt them in the SOC. That’s slowly starting to change, but the magic of Training 3.0 occurs when hands-on training is combined with frequent repetition. The combination of these techniques enables SOC teams to develop “muscle memory” for critical skills while enabling employers to gauge how well analysts perform in high-stress situations and respond to curveballs during a disruptive attack.
Experiential Learning needs to become the standard for training cybersecurity professionals. It’s not just a good training decision, it’s a good business decision for three main reasons. First, experiential learning accelerates competency. Every attack is unique - when your SOC team has practiced dealing with surprises, they’re not easily rattled or blindsided and will respond more appropriately. In addition to developing technical skills, cybersecurity teams also develop soft skills such as critical thinking, problem-solving, and decision-making.
Second, it bridges the gap between theory and practice. Simulated cyberattacks are as real as they get. They take playbooks off the page and provide SOC teams with firsthand experience dealing with cyberattacks before they encounter a critical attack the job. This ensures SOC staff are prepared and equipped to deal with worst-case scenario situations using the “muscle memory” they acquired through regular practice.
Finally, it delivers exceptional return on investment -- After delivering more than 300,000 training sessions, we’ve learned that frequent hands on training sessions reduce the time it takes a new cybersecurity employee to be cleared for operational readiness by 66%. That means a new analyst can be ready in 1/3 of the time that it would take versus other training methodologies. In a world where it takes three-plus months to recruit and up to a year to fully train cybersecurity staff, that means a shorter exposure period, a quicker reaction time, and faster time to staff an operational SOC.
By turning thought processes into a force of habit -- into “muscle memory,” Experiential Learning enables organizations to forget about the Forgetting Curve once and for all.
Adi Adar, CEO, Cyberbit