In 1885, a psychologist named Hermann Ebbinghaus published
his theory on education retention called the Forgetting Curve. His research theorizes that most
people forget up to 80 percent of what they’ve learned within 48 hour, unless
the information is reviewed time and again. With Deloitte reporting that 67 percent of employees believe
their careers require them to receive regular skills updates, corporate
trainers are constantly creating workarounds to minimize its impact. Given the validity of the
Forgetting Curve, why do we still train SOC staff using quarterly classroom
courses or plan bi-yearly tabletop exercises if they’re not effective?
Certainly, there was a time when training SOC teams using
classroom sessions, tabletops, in-person demonstrations, webinars, and dense
tomes of instruction manuals sufficed. But the world has changed. Networks are
exponentially more complex, attackers more sophisticated, and constantly
shifting risk vectors have fundamentally changed the nature of cyberdefense.
These methods — “Training 1.0,” — have provided diminishing returns to the
point where using them on their own has become a waste of time and resources.
So we responded, evolved, and came up with Training 2.0.
With v2.0 we added essential hands-on components. We added sandbox environments
and the ability to look at snapshots of a network during and after an attack.
We practiced forensics, performed root cause analysis, and viewed log files. We
created capture-the-flag challenges to hone pen-testing skills and added
“what-if” scenarios requiring trainees to write simple scripts. Some trainers
used gamified environments where trainees could earn badges, credits and
These improvements have greatly helped to develop
competency, but they don’t prepare SOC teams for the experience of a
real-world cyberattack. Investigating a snapshot of a network or running code
in a sandbox is great, but it doesn’t capture the stress of a live attack.
Modern cyber defense requires SOC analysts to detect, investigate and respond
to an attack as it unfolds over the course of several hours, under severe time
pressure. Furthermore, without consistent practice, the tools and procedures
required for rapid response will be quickly forgotten.
So, given the growing need to train and retain competent
cybersecurity professionals, employers sought a third option. “Training 3.0”
features a new training modality – Experiential Learning, which is exactly what it sounds
like — learning by doing, a.k.a., hands-on training. Using a platform called a
SOC teams respond to simulated cyberattacks that expose them to the reality of
an escalating cyberattack and all the factors that might impact their ability
to perform in the moment.
Experiential learning techniques such as simulated phishing
attacks have become the norm for end-user awareness training, but most
companies have been slow to adopt them in the SOC. That’s slowly starting to
change, but the magic of Training 3.0 occurs when hands-on training is combined
with frequent repetition. The combination of these techniques enables SOC teams
to develop “muscle memory” for critical skills while enabling employers to
gauge how well analysts perform in high-stress situations and respond to
curveballs during a disruptive attack.
Experiential Learning needs to become the standard for
training cybersecurity professionals. It’s not just a good training decision,
it’s a good business decision for three main reasons. First, experiential
learning accelerates competency. Every
attack is unique – when your SOC team has practiced dealing with surprises,
they’re not easily rattled or blindsided and will respond more appropriately.
In addition to developing technical skills, cybersecurity teams also develop
soft skills such as critical thinking, problem-solving, and decision-making.
it bridges the gap between theory and practice. Simulated cyberattacks are as
real as they get. They take playbooks off the page and provide SOC teams with
firsthand experience dealing with cyberattacks before they encounter a critical attack the job. This ensures SOC
staff are prepared and equipped to deal with worst-case scenario situations
using the “muscle memory” they acquired through regular practice.
it delivers exceptional return on investment — After delivering more than
300,000 training sessions, we’ve learned that frequent hands on training
sessions reduce the time it takes a new cybersecurity employee to be cleared
for operational readiness by 66%. That means a new analyst can be ready in 1/3
of the time that it would take versus other training methodologies. In a world
where it takes three-plus months to recruit and up to a year to fully train
cybersecurity staff, that means a shorter exposure period, a quicker reaction
time, and faster time to staff an operational SOC.
By turning thought processes into a force of habit — into “muscle memory,” Experiential Learning enables organizations to forget about the Forgetting Curve once and for all.
Adi Adar, CEO, Cyberbit