Helping Employers Hire More Effectively Using Cyber Range Simulation-Based Assessments

Enable job candidates to demonstrate their capabilities

By Debbie Gordon, CEO, Cloud Range

The Current Problem 

The ever-changing threat landscape requires cybersecurity operators to have knowledge and skills that must remain equally dynamic. Further, it is imperative that these cybersecurity defenders need to know what they should do during an attack, and it is even more important that they actually have the ability to do it. This poses an ongoing challenge when assessing candidates for integral roles in cybersecurity. Why? Because industry-standard certifications typically measure knowledge, NOT actual skills. Additionally, the job experience that a candidate brings does not necessarily determine whether they are able to perform. 

Disparities in Candidate Qualifications and Requirements 

There are four reasons why having a pre-hire method for assessing a candidate’s qualifications is a best practice. 

1. Employers, when outlining the “requirements” for a given job opening, often face a disparity between the listed requirements and the actual knowledge and skills necessary for a potential candidate to perform the tasks of the proposed job. This may occur when the person writing the job description isn’t part of the hiring manager’s team and isn’t familiar with the details of the work.

2. Resumes and certifications do not tell the whole story of a candidate’s capabilities. In fact, someone may meet the requirements in a job description, and as a result “qualify” for the job, but until they are assessed on the activities required to succeed in such a role, an employer does not have enough information to ensure they are making the right hire. 

3. There are plenty of potential applicants who may never apply because they are alienated by overly restrictive job requirements, even though they would be perfectly capable of performing the job. 

4. Adoption of the NICE Framework solves part of the problem of matching talent to the required work. By outlining and standardizing the specific KSTs  for a given “Work Role”, an employer still cannot reliably confirm that a candidate can actually perform the work, especially in a live, high-pressure, heavily-tooled cybersecurity defense environment. Some employers may use lab-type assessments, but labs simply assess pieces of what a role would require, and do not reflect a candidate’s abilities to perform the job as a whole.

Taking the Guesswork out of Hiring for Cybersecurity Roles

Until recently, there has not been a way to assess whether those KSTs are effective when a candidate puts them to work in real time. Cloud Range has developed an innovative solution that applies this concept to cybersecurity hiring and talent development. Using their cyber range, Cloud Range developed simulation-based, assessment exercises that mimic actual work roles as defined by the NICE Framework. These immersive assessments allow candidates to perform as they would “on-the-job”, in a safe, yet realistic environment that enables employers to determine how a candidate may actually perform a specific job, regardless of what certifications, degrees, and “experience” the candidate may have. Each simulation exercise results in a detailed report that outlines the knowledge, skills, and tasks utilized, plus the corresponding results of the application of each of those elements in the simulation exercise.  

Cloud Range’s simulation exercises can be customized and administered by employers to mimic a specific role, like a Tier 1 SOC Analyst or a Forensics Examiner. The customizable platform includes real security tools that a job may require, like a specific brand of a SIEM. For example, a candidate for a Tier 1 SOC Analyst role may use QRadar or Splunk to look at live traffic and alerts during the simulation, or for investigating alerts to identify false positives.

Alternatively, job seekers, including those currently in the cybersecurity workforce or those entering the workforce for the first time, may also take a Cloud Range Assessment for a given NICE Work Role, which they can then provide to potential employers. This accelerates the hiring process and also creates a more level playing field for candidates.

When an organization is only as strong as its weakest link, it’s crucial for employers to know that the cybersecurity professionals defending the organization are not only qualified on paper, but are truly prepared to perform in a high pressure environment. 

Immersive, simulation-based assessments yield results that allow employers to determine whether or not a candidate has the necessary capabilities for the potential job, and also to assess what additional learning and experience the candidate will need to be fully job-ready, should the company choose to hire them. This sets the candidate up for success and creates greater likelihood of job satisfaction and ultimately employee retention.