In 2008, just a year after large-scale, state-sponsored cyberattacks on Estonia, NATO set up its Cooperative Cyber Defence Centre of Excellence in Estonia's capital, Tallinn, to strengthen its capabilities and improve cooperation and information-sharing among its members and partners.
Among the contractors who helped build a military-class cyber range for NATO's cyber exercises, were IT-infrastructure and security specialists Jaanus Kink, Margus Ernits, and Taavi Must. A few years later, they decided to found a startup based on the experiences they had gained.
"We saw how useful cyber exercises are for defense teams. Once we realized that this kind of learning experience could help cyber teams around the world, we started to build RangeForce – a platform for hands-on training of cyber defenders and running cyber exercises at scale," RangeForce CEO Must tells ZDNet.
SEE: Security Awareness and Training policy (TechRepublic Premium)
RangeForce provides cybersecurity training for companies of varying sizes, combining cloud-based, hands-on training modules and cyber-siege challenges and exercises.
The company provides modules across three main areas, aimed at improving security, application, and DevOps teams. In each area, there are different learning paths, and it tracks how the most popular modules are used.
In recent years, RangeForce has moved its headquarters to Washington DC and now employs 75 people worldwide, with 35 of them in Estonia. In July, it announced a $16m series A round led by Energy Impact Partners, with Cisco Investments among the investors.
RangeForce's primary customers are companies that are big enough to have a security operations center, or SOC.
"SOCs are terribly expensive to operate at an estimated $2.86m annually per enterprise, a third of which is employee cost. Training new analysts is a top priority, which can take up to a year per employee," explains Must.
He says security is experiencing a bad skills gap, with 51% of companies unable to find the new cybersecurity talent they need.
"If you factor in that analysts typically leave after about two years and it takes, on average, eight months to find a new one, you can see why training and building skills are a top priority."
Must explains that a typical customer for RangeForce is a large multinational organization, which has hundreds of security professionals.
The professionals can use RangeForce learning paths based on their roles with, for example, the SOC 1 analyst path covering 30 modules in topics like MS PowerShell.
"The company gets to track and see their progress in real time. This can't happen when an employee is watching a teacher or a video," says Must.
"They work hard towards goals. They practice them on their own and in sieges with their colleagues, and then they use them to rectify security flaws in real time. They make training part of their day-to-day work."
Must says a company can then also train employees across disciplines to get more out of people.
"For example, even in a small company, people who deploy applications typically do not handle incidents. With our security vendor modules, they can take a 45-minute training module and learn how to use a new tool that expands their skillsets and makes them more valuable to the company."
Must believes that in the cybersecurity field, the main problem lies in not being able to attract, train, and retain the talent necessary to protect the enterprise.
"We have plenty of technology but the capability to make them effective at using that technology is nascent," he says.
"It's ludicrous to think we can become effective cyber defenders without regularly practicing and testing the ability of a security team to work together under a high-stress environment."
Must argues that no other companies combine cloud-based training and cyber-siege exercises. RangeForce has spent the past year building a content-development engine that includes coders, security experts, teachers, and writers.
Today the company delivers eight to 10 new training modules per week, ranging from beginner classes to advanced training. He says by the end of 2020, RangeForce will offer over 500 hours of training.
"Companies need content that expands into important security processes that are gaining favor like DevSecOps. They also need content that aligns with the latest security tools on the market like Cisco's new SecureX integrated detection and response platform, and for the latest vulnerabilities and threats."
Must reckons the future of security training involves a lot more integration.
"Gamified training lesson technology will be integrated with vendor security solutions from companies like Cisco, Carbon Black, Recorded Future, and others. The concept of training as a layer in the stack is brand new," he says.
"Customers like it because it helps them get more out of their investments. It's been said customers typically use around 25% of the capabilities of a security product. That's one of the reasons why breaches still happen so regularly. It's not just about more and better training, but making the best use of their tools and integrating their training products."