Having empowered more than 1,500 security leaders to develop their teams, we’ve discovered a key element that sets successful upskilling programs apart from the rest:
A positive upskilling culture.
A positive upskilling culture is when the entire security function shares a healthy attitude and vision for continuous skills development.
Driven by security leaders and senior staff, we’ve witnessed how it’s a catalyst for continuous growth within a cyber workforce that shields against burnout and boosts engagement.
But how do you build a vibrant culture of upskilling if you’re just starting with (or already using) HTB?
Inspired by the success of talented security teams we’ve partnered with over the years, below are our four actionable steps and real-world examples!
Once you’ve onboarded with our customer success team, maintain the momentum by introducing a training event on the HTB platform.
This ensures that everyone has an opportunity to engage with the platform and access training material that’s relevant to their roles.
Promptly scheduling a team event also benefits from the novelty effect of purchasing a new training tool, which can increase participation and engagement rates from staff.
Wondering what type of event you can schedule within 30 days?
If you’re pressed for time, we’d suggest hosting a CTF event using our new CTF Marketplace.
We found that a massive hurdle when organizing a CTF event is the time and technical expertise required to configure, organize, and deploy an event and its challenges.
The CTF Marketplace simplifies the process.
Within a few clicks, you can launch an exciting CTF event that unites the entire team. One of the key benefits is the ability to preview and select from diverse curated CTF packs. These packs cater to teams of various sizes, levels of expertise, and specific technologies.
(Sample of CTF packs available on the CTF Marketplace)
Aside from an introductory CTF, you can also:
Allocate time on your team’s calendar to browse the HTB platform and see what content they’re interested in. (A great way to encourage self-motivated, continuous learning.)
Pick a machine, challenge, or lab to play through with your team. Better yet, ask your team to vote on the decision.
Healthy upskilling programs carve out dedicated time for staff to train. It may sound like a no-brainer, but as we’ve seen firsthand, some security teams still struggle to systemize and scale their upskilling efforts.
The lack of structure lends itself to training that’s “last-minute” or reactive, placing undue stress on learners.
As our CEO shared in a recent post on why traditional training is failing, Hack The Box champions structured, proactive upskilling strategies that help teams stay ahead of threats.
That’s why we urge training managers to kickstart their HTB journey with a commitment to regular training sessions, ideally at a weekly (recommended) or bi-weekly cadence.
Base your training sessions around HTB content and set a target deadline for completion. After your team’s conquered the labs or challenges assigned, regroup for a post-mortem meeting focused on learning.
Post-mortem sessions are powerful building blocks of your upskilling program because they optimize for retention, self-reflection, and collective skills development.
During these sessions, your team can:
Prioritize skills gaps to tackle in the future.
Identify strengths and weaknesses at the individual and group levels.
Pair up with internal mentors to shadow or learn from.
Overall, post-mortem sessions ensure entire teams, not just individual staff, grow skills that serve your company’s security goals.
Halborn’s security team, for example, encourages groups to test new methods and techniques to deploy on security audits.
We have multiple internal workshops to show the cool things across each team that they did before and try to foster this kind of improvement.
Gabi Urrutia, VP of Security Engineering, Halborn
If a team or individual discovers new techniques while working through a lab instance, they’ll assign an internal point of contact to share the discovery with other members of the security team.
The collaborative approach supports a self-sustaining upskilling program. One that makes learning a social, team event that’s both engaging for employees and effective at teaching technical skills.
Shifting to a culture of continuous learning isn’t just about regular training sessions.
Teams should be aware of how their skills are developing in alignment with your company’s security goals. At the same time, the ROI of your upskilling initiatives should be clear to senior leaders.
Reporting features on the enterprise platform enable admins and moderators to accurately measure the value of HTB content and how staff perform.
(Screenshot shows the technical skills developed by an individual user over a 3-month period.)
As an admin, you can review users' consolidated activity collected across products and platforms to:
Report at user, team, lab, and organization levels.
Filter users by role—useful for assessing the skills of a specific group, such as job candidates, juniors, or specialists.
Review up to an entire year’s historical training activity.
Include a user’s activity from HTB Labs to see how they are upskilling outside of working hours (accounts must be synced).
This delivers insights into how your team is performing by showcasing key metrics for:
Skill progression: Skills development over a set period of time. This can be filtered by machine tags, challenge categories, and skills mapped to the MITRE ATT&CK framework (available with Professional Labs and Cloud Labs).
Overall activity: The number of flags owned for different content types such as machines, challenges, Professional Labs, and Cloud Labs.
(MITRE ATT&CK skills coverage on the Zephyr Professional Lab)
Sharing this data with your team transforms the upskilling process into a fun experience. Additionally, it’s a way to benchmark skills and show stakeholders how your training supports overall security objectives.
Consulting firm 8-bit, for example, revamped its onboarding process for new hires by pairing HTB content and reporting features.
This introduced structure to the training process, which before HTB, “was a constant scramble of Googling, watching Youtube videos, and reading blogs” and not optimized for new and junior hires.
Measurable metrics are number one. This training allows you to track what modules you’re doing, what you’re good at, what you’re not good at. You know right away whether or not you understand this stuff versus being given 50 boxes and not knowing which one you’ll be tested on and hoping at the end you know enough to pass the test.
Ryan Whicher, VP and Senior Penetration Tester, 8bit
Harnessing the power of instant feedback, 8-bit has built a smooth onboarding process in which new recruits embark on a tried-and-tested journey. This journey entails the successful completion of a predetermined number of modules and lab exercises on the HTB Academy.
The best thing about this approach? It slashes the time required to mold fresh hires into "job-ready" professionals.
Leaders who deploy a buddy system—that pairs junior staff with senior experts—report better results from their training programs.
Mentors, however, can experience a loss in productivity when they’re solely responsible for hand-crafting material and guiding junior staff on top of day-to-day tasks.
Left unchecked, this can snowball into the opposite of “an upskilling culture:”
Burned-out mentors who deliver low-quality training to beginners because they’re overworked.
You can reduce the training debt on mentors and senior staff with curated HTB content that helps:
Onboard junior employees for specific roles. Job Role and Skills Paths on the HTB Academy feature pre-built playlists that prepare your team for a specific job role, or security-related skill.
Fill common knowledge and skills gaps unique to your team’s standard operating procedures (SOP), playbooks, and expertise. Choose from and combine any HTB Academy modules into your own focused development path that’s tailored to your team.
Assess and validate practical skills. Job Role Paths conclude with a certification exam that tests a candidate's market-ready skills. (To pass the CPTS cert, for example, learners are graded on a simulated pentest and their pentest report). This validates an employee’s ability to handle real-world incidents and engagements, while also streamlining the onboarding and upskilling process.
In practice, reducing training debt means senior mentors avoid spending extensive periods of time training someone on a specific problem they could learn to solve independently.
Instead, mentors direct that employee to an HTB module or lab for the initial learning, and then, if necessary, supplement the HTB training after.
(The screenshot above shows customizable paths on Dedicated Labs. These paths feature groups of machines and challenges focused on a specific cybersecurity skill set or function.)
Lowering the technical training debt on mentors also unlocks bandwidth for senior staff to support the security team in other ways, such as:
Developing internal guidance and documentation related to your organization’s unique practices. E.g., playbooks and SOPs for real engagements and incidents.
Tracking, measuring, and reporting progress for different teams and individuals.
Continuing to shape your upskilling strategy by keeping themselves up to date with the threat landscape.
Hack The Box specializes in distinguished practical and guided cybersecurity training courses aligned with the NIST NICE and MITRE | ATT&CK frameworks, as well as unrivaled hands-on labs designed to help organizations close skills gaps, hire top talent, and protect infrastructure.
Author bio: Fedon Konstantinou, (fkon), Head of Customer Success
Fedon Konstantinou is the Head of Customer Success at Hack The Box. Passionate about helping organizations drive change with technology, he holds a Bachelor of Engineering degree in mechatronics, robotics engineering, and automation engineering from the Technological Education Institute of Piraeus. Feel free to connect with him on LinkedIn.
Noni, Sep 22, 2023
JXoaT, Sep 21, 2023