Games, badges, colorful illustrations. Probably not the words you’d associate with cyber-skills training. But, for Immersive Labs, this is the future. I talked to Chris Pace, Technology Advocate, about why traditional cybersecurity lectures don’t work, the importance of engaging employees about cyber-skills, and a game-changing new development – Bandersnatch for data breaches.
Ryan Loftus: Who started Immersive Labs, and how did they come to found it?
Chris Pace: Our founder, James Hadley, was working as a cyber-skills instructor at the Government Communications Headquarters (GCHQ). After running PowerPoint-heavy cybersecurity courses in dark rooms, he could see first hand how ineffective this way of training is. The more PowerPoint he did, the less engaged people were. This was where the idea for the company was born, from his frustration that traditional classroom cyber-skills training methods don’t work.
No more death by PowerPoint! What’s the big vision?
At first, we felt we could deliver a platform that could be used by learning and development professionals to deliver engaging cyber-skills training. But the way we’ve evolved the platform has moved things on. Now, our vision has expanded from providing employees with training to allowing companies and businesses to track and measure their cyber-capabilities. What skills do they have? What skills do they need? For many companies, that’s a huge thing, especially for large financial enterprises.
Helping employees and their businesses – nice. How does the platform work?
Immersive Labs offer bite-sized cybersecurity challenges – otherwise known as “labs” – that people can complete using a cloud-based platform, anytime and wherever they want. Essentially, these labs are a collection of individual games that place the user within real-life cybersecurity scenarios. The labs ask you for one answer to a question, but you have to do three out of four tasks to get that answer.
There are badges, points, illustrations – it’s designed to engage, as opposed to teach. And they cover a wide range of topics; we have over 600 labs and counting. One of my favorites is the penetration testing lab – you basically hack a power station. You understand the industrial control system, find weaknesses in the software then work out how to exploit it. We’ve set up a webcam showing a simulation film for when the user finishes. When you hack the power station, the webcam turns on and you see the power station shutting down. It’s a bit of fun, but it’s a cool outcome that immerses people in the environment.
That example is quite specific to cyber professionals, but we offer hundreds of different labs for varying levels of expertise. They range from how to spot a phishing email to how to code securely; there’s something for every level of cyber-knowledge. When we start working with a new client, we help them tailor objectives that shape what labs we advise. For example, one goal might be ‘develop employees into roles where they are cybersecurity proficient,’ then we recommend a series of labs for them to complete.
It’s an entirely different way of looking at the cyber-awareness issue. What are the benefits of training employees in this way?
Traditional classroom environments aren’t for everyone. And when it comes to cyber-skills training, or more importantly, your business security, you need to engage people to understand how to stay cyber secure. By gamifying and framing training differently, you can teach lessons that stick.
Our technology plays into a current trend: mobile gaming. It’s the on-demand element, users can access our platform from their computer, tablet or mobile device wherever they are, whenever they want. That’s a huge benefit. Our data shows that over 50 percent of people taking the courses are doing it outside of work and on weekends as they want to be top of the company leader board on a Monday morning.
But the benefits go beyond engaging employees. From the business’s perspective, knowing the types of skills you have, or more importantly, don’t have, is invaluable. Using our technology can help identify where to plug those skills gaps. It also encourages businesses to grow that talent internally from the resources they already have.
Right now, it’s clear we need to get to a place where we’re not sourcing cyber-professionals, we’re developing them. Platforms like ours can help businesses do that. Sourcing people is expensive; growing talent saves time and money in the long run.
There’s a considerable need for home-grown cyber professionals, for sure. How do Immersive Labs differ from similar technologies on the market?
I think what sets us apart is our depth – we have over 600 labs and counting. We pride ourselves on adding new content directly related to the threat landscape. When something new comes along – whether that’s a new malware or cybercrime group – we deliver a lab to educate businesses on the threat. So when a new threat hits the news that’s relevant to our customers and the broader security community, we immediately create something to help them understand it. Roughly, we add four labs a week. Then if something is in the news, we add a lab on the same day.
Wow, that’s quick! What challenges have you faced so far?
One of our biggest challenges was finding a way to show clients the value our product can add. Persuading people can be tricky, especially if they’re used to classroom lectures and online courses.
Other than that, classic growing pains. Notably going from a small team in a shipping container to a 100-person office. The change in culture can be a challenge, but we’ve done a great job of adapting.
On the flip side, what’s been your biggest success?
Being made the de-facto cyber-skills provider for the NHS (UK’s National Health Service) – that was a major success for us. As a relatively new company, any new customer is a success. It shows that people see the value of our product. Now, as we’ve grown, we don’t need to try and show businesses the value Immersive Labs can add, they understand straight away.
That’s a nice position to be in. What does the future hold?
Right now, we’re working on a cyber-crisis simulator. It does what it says on the tin: puts people into a real-time cyber crisis. It’s carnage! There’s literally a breach happening right now, what are you going to do? What decisions are you going to make? And ultimately, how will those decisions impact your reputation or share price.
You can do it in teams, or individually, and you get immediate feedback. There are tons of visualizations, data and metrics showing performance, which good decisions you made and why, and where there is room for improvement. Has your CEO been seen sweating on live TV? Have you had a media alert to say your share price has fallen through the floor? There are so many ways it can go, that’s what makes it interesting. It’s like Bandersnatch for breaches (an episode from the recent Netflix series Black Mirror using interactive choose-your-own-adventure paths) – and our customers’ need for it has driven this product. They’ve told us they want it.
Thanks Chris – best of luck in the future!