SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
The top things to consider when investing in a cyber range
Wed, 5th Apr 2023

Just last month, more than 30 teams from 11 different countries participated in a special military cyber defence exercise, Defence Cyber Marvel 2, organised by the British Army via a cyber range solution based in Tallinn, Estonia. These sorts of exercises using cyber ranges are becoming more commonplace, particularly in the context of the ongoing military conflict in Ukraine and attacks on critical national infrastructure.

However, it's not just governments or armed forces that require cyber ranges. As cyber threats continue to evolve, companies need to be able to adapt, prepare their IT-personnel and react to protect themselves and their assets. This is where cyber ranges have emerged as a solution for many businesses and other organisations outside of military and defence.

But what exactly is a cyber range? Well, it is essentially a virtual, simulated environment used to train cybersecurity professionals and test a company or organisation's capability to respond to cyber attacks and critical incidents caused by cyber threats.

Cyber ranges generally include simulated network infrastructure, systems, and tools that enable businesses or organisations to experience various cyber-attack scenarios in real-time and assess their preparedness, defence capabilities and skills, and how effective their existing training efforts are.

But for organisations or companies looking to invest in a cyber range, how do you know where to start? What should you look out for? Well, while the concept may seem straightforward, a cyber range is a complex system requiring both technical (physical hardware, computing power and software) and organisational (human training and learning) elements. The complexity of the task may lead to very expensive and unnecessary purchase decisions if not considered carefully.

Here are five key considerations for enterprises considering investing in a cyber range:

1. Identify the business requirements

The first thing to establish is what specifically you will need a cyber range for? This is where it is important to focus on the impact and outcomes you want your investment to have. Ask yourself:

  • What should the ideal outcome look like?
  • How many people (and who) should participate in the training exercises?
  • What should the participants learn and prepare for?
  • How often will the cyber range be used, and what kinds of training events will be hosted?
  • Which technologies will need to be involved?

It will be much easier to compare different offerings once you've determined the above.

2. Find the balance between features and capacity

There is no point in spending all of your investment in technical infrastructure if what you need most is training content and improving cyber skills among your team. It's therefore important to consider the following areas:

  • Are you aiming to build a national/international cyber range capability - or an affordable training environment for your workforce?
  • What use cases are you planning to have? (e.g. individual or team-based events, instructor-led training, live fire and/or 'capture the flag' exercises, testing and experimenting etc.)
  • Will you need the capability to operate the cyber range independently and create your own content?
  • Does the cyber range need to be air-gapped from the internet and other networks?
  • Will you need integration with other external systems, including other cyber ranges?

3. Determine which hosting and licensing model is best for you

There are many things to consider when it comes to hosting and licensing your cyber range. Key considerations in that respect include:

  • Are you looking to invest in a cyber range as a service or as an in-house capability?
  • Do you want your cyber range to be hosted on-premise, in the cloud, or a hybrid of the two?
  • What licensing cost model will be best for you: per user, per cyber range or per event?
  • Will you require training events as a service, or will you be hosting them yourself?
  • Will the capability to monetise your cyber range be relevant to you?

4. Set the budget!

It is important to keep in mind that cyber ranges are not only about technical infrastructure; the investment should be seen as a combination of technology and human work. Costs typically divide into direct and indirect operating costs.

Someone will need to own and run the in-house cyber range, which will cause direct personnel costs, but on the other hand, there are also data centre costs involved, and the hardware, of course, has a life cycle.

The cost range itself is wide (anything from €10 per month per person to multi-million on-premise cyber range establishments), so it's very important to think about where the business falls within this range.

5. Choose a partner that best suits you

It is definitely good news that there is a lot of choice, but this, of course, also means making a decision is not easy. Some key considerations here are to carefully study what the provider(s) experience is - have they previously delivered projects or events that are similar to what you are looking for?

It is always a sensible idea to consult with an independent expert on cyber ranges before you commit. They will be able to further validate your requirements and provide valuable insights on areas you still may not have considered.