Picture some of history’s toughest sieges. Carthage, 146 BC; Jerusalem, 1099; Vienna, 1683. Regardless of the outcome and the circle of latitude, defenders had one goal in mind – push back the attack of hostile forces, whatever it takes. The price to pay has always been high, and the fight exhausting. Back then, cities equipped with walls and fortifications aimed to keep threats away. Today, in the information society, only cybersecurity can hold off the menace of digital warfare.
Acquiring a savvy team in cyberdefence is crucial to preserve data and operations for private companies and public agencies alike. That’s why Estonian platform RangeForce gives IT professionals hands-on training in fending off attacks on business-critical assets, in a safe simulation-based cyber siege. At RangeForce, people believe that cybersecurity should not be a language spoken by the few, but accessible to the many. With a learning-by-doing approach, they’re on a mission to democratize defensive cyber skills, and level up developers and DevOps teams in some of the largest companies in the world.
In May 2019, RangeForce gathered its largest investment up to date at $1.5MLN, planning on expanding their product platform and recruiting new team members. COO Jaanus Kink gives us an insight into why cybersecurity is so salient for companies’ operational safe space.
What needs was the company born from, and what kind of expertise did you channel into the products you offer?
Three co-founders met while being part of the team organizing cybersecurity exercises for the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).
We saw that one-size-fits-all classroom training models are outdated, as they fail to generate functional skills necessary to keep threats away. Modern digital companies need a new learning approach that is scalable, efficient, and adaptable to learners’ personal needs. For example, simulation-based training ended up being very efficient, yet inaccessible to many.
Our CTO Margus Ernits, while carrying out his teaching duties, was also sketching out a virtual training system to develop and examine learners’ skills on the side. At first, we tested the system at the beginning of 2015 at a student cybersecurity competition, with great results and feedback. A few months later, TechStars NYC program gave our business strategy the necessary extra kick to get the platform in front of enterprises. That’s when RangeForce was born, a cybersecurity training platform that helps solve the cybersecurity talent shortage.
We upskill enterprise defenders with hands-on defensive cyber warfare experience. Providing a quantitative baseline for SOC and DevOps teams to assess their real capabilities, we support companies in developing secure systems and reduce the number of cyber vulnerabilities. We aim to supercharge teams with defensive cyber operations skills that they can instantly apply to the job.
Referring to the most recent large investment you received, what will you do with the capital you gathered?
The cash injection will be used to recruit additional talent to expand the product platform. Over the years we have seen that cloud-based simulation training in a real-time setting has shown to be the most effective cybersecurity training method at scale. We’ll continue our mission to reduce cyber-attacks and cybercrime by empowering companies’ IT professionals with real-life security skills.
Every day hackers invent new creative techniques and regulators are signing off even bigger fines. For RangeForce it’s an opportunity to grow rapidly globally, as companies realize that upskilling the people managing, configuring, and defending their systems may be the best ROI lever in cybersecurity.
Which business partners do you have the closest cooperation with? Which ones helped you the most in your journey so far?
RangeForce has a global customer base across the financial, technology and healthcare sectors. Since the launch, the closest cooperation has been with technology leaders like Microsoft, Pipedrive, Barclays, and Santander.
Together with Microsoft, we launched a program to verify and certify cybersecurity knowledge and skills of learners. In a simulated environment, learners could detect, protect, and respond to a cyber threat at a fictitious company. It was a great way to upskill and support the growth of new cybersecurity talent online.
Barclays bank, instead, has been our partner since the early days. Over the years we have trained almost 400 technical professionals for Barclays from Cape Town, Prague, London, starting from NYC. One of the highlights of our cooperation has been the collaboration with Barclays, Santander bank and Cyber Security Challenge UK competitions to detect new cyber talents. Our performance-based analytics tool was able to benchmark top performers from Singapore and the UK.
We were amazed by the high-level security skills of competition participants. These challenges have supported the careers of many young cyber professionals. For example, at one of the competitions, 10 of the top 40 participants were 17 years old or younger!
Why is a learning-by-doing approach to cybersecurity important for private companies?
One of the biggest challenges facing the learning industry is ensuring knowledge retention among learners. To achieve a long-term effect, improve decision making and critical thinking skills among enterprise defenders, the training should provide scenario- and simulation-based learning.
Learning cyber defence skills is similar to the process of learning to fly. Skills that pilot students develop in VR flight simulators can be very helpful in managing new challenging conditions in a situation that students are not familiar with. Also, it takes place at a much lower cost than training in the air.
Today’s cyber threat landscape is constantly evolving. Thus, you need to train and demonstrate your team’s defence skills and collective capability before a cyber-attack ever happens. Adequate preparation will save you time and money later. With the right cybersecurity training in place, learning by defending against real attacks in a simulation, your team may be able to detect and respond to an incident or prevent a cyber-attack before it takes place. Learning-by-doing proved to be the most effective way of teaching security. We can see it provides real evidence about skill level and provides the real experience of a cyber-attack.
Do you think companies in certain, specific sectors are more exposed to cyberthreats? And what should they do to prevent being taken by surprise?
Yes, informative-sensitive industries like financial, health and energy sectors are preferred targets for cybercriminals. Financial services are the most obvious ones and the most attacked in the world, as they deal with a lot of users’ personal information. Health care and medical organizations access and store electronic healthcare records, and see ransomware as the top threat. The energy and utility sector faces its own concerns as hackers can cause power outages undermining critical defence infrastructure.
It’s a matter of proper preparation, both from the technology and team side. Here is an important assumption – humans are the ones developing systems and applications. So start by reducing human errors and test your teams’ capabilities through realistic attack simulations. Benchmarking helps to identify your team’s weaknesses and areas of priority where you need to invest next. Attackers are always one step ahead of you. Testing and training contribute to identify your real position in terms of preparedness. Plus, they provide evidence about your organization’s cyber resilience.