I had the opportunity to spend a few days at a security conference last month, in which I talked with hundreds of people in the information security community about their fears, concerns, hopes, and plans. One thing that stood out to me was the sheer optimism and joy that most of the conference attendees brought with them. They were not there (only) for the swag or the cocktail hour or the chance to be away from their day jobs for a few days. The vast majority were there because they loved their jobs, believe in what they are doing, and wanted to learn more so they could bring that knowledge back to do their jobs even more effectively.
There’s no question that cyber security that is an exciting field. Whether you are on the offense or the defense, there is a dynamism involved in which you feel that you are part of an ongoing battle to protect your business and your customers against a challenging adversary. The stakes are real, but you aren’t on a physical battlefield at risk or losing life and limb. The people I spoke with understood the fact that what they are doing matters and that the difference between winning and losing, could come down to whether they are actively improving their skills to stay ahead of the latest threats and attacks.
That brings me to the question in the title of this post. Can security training change lives? I think it’s obvious that it can, but I saw this play out in spectacular fashion over the course of this conference. One of Security Innovation’s training solutions is the CMD+CTRL cyber range. It’s a series of vulnerable application designed for participants to use a sandbox in which they can learn what it’s like to be a black-hat hacker - playing for the other side, if you will. By playing offense, finding and exploiting vulnerabilities, they learn how to be much more effective on the defense while protecting their organization’s digital assets. We provide CMD+CTRL trainings at conferences, at OWASP meetings, and most importantly, as a corporate training for large scale development and operations groups.
At this particular conference, I noticed a young man waiting patiently for me as I talked with a few others. When I was done, he urgently approached me, held out his hand, and while he shook my hand he simply repeated “thank you” over and over in the most heartfelt manner imaginable. It turns out that he’d been a student at one of our earlier trainings and had done quite well. The CMD+CTRL platform is set up as a game, and so as you progress you get a score, gaining more points for each vulnerability your find and exploit. This young man had ended the day with quite a high score. He wasn’t a security professional, but he clearly had a gift for vulnerability discovery, and in the course of the day he had discovered that he also had a passion for it. He left that evening with a burning desire to find some way, any way, to become more involved in the security field. Well it turned out that someone else had been watching the training and noticed this bright, young talent. Within a few weeks, he had a new job, focused on security, and he now finds and fixes security vulnerabilities for a living. He wanted to let me know that our training had changed his life, putting him on a new and exciting track, where he could pursue his passion in a job that he couldn’t wait to get to every morning. And his company found a new security champion, in a field where there is a constant and ever growing shortage of qualified applicants for a burgeoning need, they were overjoyed to discover talent that had been hiding in plain sight.
Lest you think this was an isolated event, I had other conversations that ran along similar lines - participants who had discovered a passion for something they hadn’t previously known was accessible to them. There is something mind opening, and mind blowing, about being given the freedom to think like an attacker, to play in a sandbox that teaches you the ins and outs of software security and the common vulnerabilities that lurk within every application deployed on the Internet today. I’ve seen a wide range of attendees: twelve-year-old school children, professional developers, security professionals, parents and grandparents, managers, administrators, operations, and more. The common denominator, is that I’ve never seen a single person walk out of one of our security training sessions without gaining a radical new perspective software security and what they could achieve given a little bit of mentorship and the right environment.
So can security training change lives? If done right it will - every single time.