When it comes to cyber skills, the classroom is dead
How many times have you endured a dry-as-dust PowerPoint presentation or clicked through a tired e-learning course only to realize that, despite hours of 'teaching,' you remember virtually nil? It's easy to blame yourself when this happens; you may feel guilty or even harbor doubts about your ability to retain knowledge. It's likely, however, that the material simply wasn't practical, engaging or relevant enough — flaws magnified when you are spoken at in a stale classroom environment.
This is especially true of subjects with a large technical element, such as cybersecurity, which are best learned through facilitation rather than instruction. In a classroom, learners are rarely (if ever) of identical abilities, meaning the group can only go as fast as the least technical person. The content dates quickly because of cyber's dynamic nature, and this can result in irrelevant material being delivered.
In short, the way cybersecurity is taught — at university and during traditional training — is no match for the evolving threat landscape. Static measurements of skills such as certification and periodic training cannot keep pace with new threats that even the savviest security teams are unfamiliar with. The barrage of 24-hour threat intelligence is increasingly disconnected from the skills of these security teams, meaning badly trained defenders are simplifying attackers' jobs.
More importantly, the best cyber talent dislikes being 'taught'. These naturally curious individuals are the kind who take things apart just to see how they work. They want to learn by doing, so the best way to develop their skills is by providing access to the tools and techniques adversaries are using in the real world. And while this may sound risky, it really isn't. Sandboxed environments allow learners to experience malware securely so that they can study real threats without consequence. The result is defenders who think like the bad guys.
By gamifying practical learning experiences, you can make them more engaging and ensure learners keep coming back for more. That's because game mechanics such as leaderboards, points and badges encourage friendly competition and give learners a sense of achievement when they succeed. These mechanics are great for engaging those who lack technical expertise — and this is paramount considering the global cyber skills shortage. Furthermore, cybersecurity is the responsibility of everyone in an organization, not just a few specialists (as in days gone by). In fact, every employee should have some degree of cyber awareness, so the learning process must, above all else, be fun.
Developing a new skill by practicing is the best way to learn, especially in cybersecurity where theory learning can only get you so far. To demonstrate how effective hands-on learning is, we will be conducting a simple experiment at our stand (702) at Black Hat. This will involve an interactive area on our stand where people can come and learn how to program key cards. They can then use this newfound knowledge to hack an RFID lock and earn their reward.