Options for Setting Up a Cyber Range: External Partners or In-House Administration

Welcome to the second part of our series on Options for Setting Up a Cyber Range. Last time, we talked about the first high-level choice involved in implementing a cyber range: whether to build your own or buy from a reputable third-party vendor. If you missed that article, be sure to check it out here.

In this one, we’re looking at the second major consideration: is it better to outsource the administration of your cyber range, or to administer it in-house?

Time, Quality, Cost: pick two

Using the three-legged stool analogy from the project management world, there are three main inputs to every project: time (speed), quality, and cost (low price). You only get to choose two, and there will always be a trade-off involved.

High Speed + Low Cost = Lesser Quality

High Quality + High Speed = More Expensive

Low Cost + High Quality = Slower Delivery

When planning your cyber range implementation, start by deciding which two variables are most important to your organization’s success and within their budget.

Outsourcing is a tempting option. Range administration is one more task for cybersecurity teams to handle, and not all organizations have the manpower, available time, know-how or desire to manage their range operations in-house.

Some cyber range vendors offer an all-in-one solution. They provide the cyber range, handle the implementation, and manage range administration remotely. All the customer has to do is train their teams and pay the bills. This may seem like the easiest solution, but it’s worth considering the total cost.

Have a partner do the heavy lifting

There are three main types of work that every cyber range requires: range administration, training coordination, and content development. A cyber range administrator will typically set up and run the server(s) needed to run the cyber range, and this individual is often a qualified system/server administrator. A training coordinator is responsible for determining what work roles staff needs and how those map to cyber range content, as well as scheduling and coordinating time on the range for individuals and teams. And a content developer is in charge of developing up-to-date and relevant training content for the cyber range. These roles cannot be combined into one job, and may even require multiple people to support each division.

If this sounds like a lot for your team to handle, that’s okay. There are times where letting an outside organization carry the load is the right choice. This decision doesn’t remove a job, it augments your team by allowing someone to help them. And if you just want to get started training on the cyber range without having to train an administrator as well, allowing a third party to handle range administration could save time as well as money.

When choosing an organization to assist with range administration, security must be a primary consideration. Third party vendors must be reputable, legitimate, and compliant with all requirements that affect your organization (DFARS, HIPAA, FedRAMP, and NIST are only a few). Ask for references and consider whether the vendor you choose is suitable for the long term.

If your organization is ready to think of cybersecurity as an investment in their future success, there are factors to consider when choosing to move forward with outsourced administration.

The hidden cost of using a 3rd party

The convenience of having a 3rd party handle administration is undeniable. However, it places teams in the position of relying on an outside source for support, reporting, and other chores. The gain in time is often offset by a loss of self-sufficiency and speed.

Fully outsourced cyber ranges are also likely to be highly reliant on cloud connectivity and Internet stability. This prevents deployment in environments where network isolation is a requirement, or where Internet connection may not be reliable, such as certain field deployment situations.

One of the most significant costs of outsourcing cyber range administration is the missed opportunity to develop in-house expertise. Organizations that choose this path will rely on outside subject matter experts, rather than developing their own SMEs. This approach does not close the cybersecurity skills gap: in the long term, it widens it.

However, some partners are able to implement a hybrid model, where they help to develop SMEs inside the client organization as a part of training and deployment. Choosing a partner with this knowledge transfer capability can significantly increase your return on investment.

In-house administration

For organizations with the capacity to administer their cyber range in-house, the benefits can be significant. Not all cyber ranges are confusing or time-consuming to set up and run.

Many organizations prefer the greater control provided by administering their own cyber range. And in some cases, on-site administration is the only choice. When the cyber range solution is a physical in-house appliance, or when network connectivity is unreliable or absent, local administration is required. However, control comes at a cost: range administration is likely to require 1-3 hours per day for an experienced professional. Having an in-house SME and someone designated as the range coordinator is highly recommended.

Organizations that choose to manage their own administration reap benefits in cost savings, self-sufficiency, and efficiency. They are able to develop in-house expertise that leads to greater retention, morale, knowledge transfer, and ultimately enhances the long-term usability of the cyber range.

In-house administration can also lead to better reporting. When everything is managed locally, it is easier to identify and target knowledge and skill gaps. And when greater insight into reporting and metrics is combined with appropriate training, it leads to better performance overall.

Moving forward

When choosing whether to administer your cyber range locally or to outsource administration, it is important to anticipate future migration paths. If your organization requires a physical appliance or a hardware-in-the-loop solution, think carefully about whether that will always be the case. In the case that your company may need to transition to a cloud-based service in the future, make sure that there is a clear migration path from the physical implementation to the cloud.

Realistically, not every organization has the ability to predict their future development. The importance of bringing a team of cyber operators up to speed often outweighs long-term considerations. In this situation, finding a trusted vendor to work with is key to rapid, reliable range implementation.

Now that we’ve discussed the pros and cons of in-house range administration, it’s time to make a shopping list. In the next part of this series, we’ll talk about the factors to consider when choosing a cyber range implementation, and help you choose the solution that’s best for your organization.