Our new SANS research takes you inside the minds & methods of modern adversaries. Get the report ›

Getting Schooled in Security: Bishop Fox Academy

Bishop Fox cybersecurity Academy Logo: A purple fox face layered on top of a blue and white lion mane.

Share

In early 2019, Bishop Fox founded the Bishop Fox Academy (BFA), an internal program aimed at consolidating the collective knowledge of our consulting teams into a formalized learning and development program. The goals were two-fold: nurture career development, while supporting recruitment forecasting and resource allocation. We knew there were tremendous pockets of wisdom within Bishop Fox, and it turns out that sharing this information in a more structured way has been beneficial to not only our consulting teams, but to all of Bishop Fox.

Simply stated, our vision for the future entails broader sharing of all the offensive security magic held by our Foxes.



The Birth of Bishop Fox Academy

In its infancy, BFA was an initiative to make learning and knowledge sharing more accessible, comprehensive, and self-paced across our consultants. We needed a road map that outlined, from start to finish, the career path steppingstones of a Bishop Fox consultant and the knowledge that should be appropriated on that journey.

“The idea was to take all the knowledge that our consultants have, and make it more accessible to the whole company, but primarily throughout the consulting arm.” - Andrew Wilson, VP and General Manager (LATAM)

First things first – we could not have an instructional program without a web-based platform to host it and easily manage all the content that needed to be shared. To make this happen, we welcomed a partnership with 360Learning, an LMS for collaborative learning. During this initial development phase, we quickly learned that 360Learning was a highly effective communication platform for all departments across Bishop Fox. It is an interactive platform where every participant has a voice for feedback and discussion of each module. Over the first year, the initial scope expanded and a variety of other content, such as onboarding and training, for the whole company was implemented on 360Learning. With the ease of one platform, Foxes have a seamless and simplified user experience through their tenure at Bishop Fox.

During this initial phase of BFA, we also welcomed a partnership with Elevos to help us build a baseline skills framework to support a learning model. As BFA development moved forward, Elevos took charge of developing our non-technical course work to ensure balance in the curriculum and accessibility across the entire company. While offensive security consulting is a highly technical cybersecurity specialization, there are also many non-technical skills, such as, written, and verbal communication, delivery, relationships, and business development, that are crucial to every service line and job role.

“Cybersecurity consulting requires a special blend of skills that are hard to find. We used a skills-based approach for Bishop Fox Academy to ensure that Bishop Fox can reliably train capable consultants to meet the growing demands of its clients.” - Jake Prince, Partner, Elevos

Fast forward to today, and BFA offers 160+ courses that are hosted on 360Learning! The technical courses are aligned primarily by service lines with additional paths addressing specialized topics, such as cryptography. We found that it is most beneficial to mix and match industry standard course work, especially application and network testing, with new Bishop Fox-specific content. There is no shortage of expert level, open-source industry content to choose from; no need to reinvent the wheel when possible.

“As the company has grown, we’ve had to address training at scale and BFA is a reflection of taking what we learned as a small firm and investing in making it something that meets the needs of the firm at the size it is today.” - Andrew Wilson, VP and General Manager (LATAM)


Offensive Cybersecurity Compass

Through meticulous and thoughtful review of our offensive skill sets in collaboration with our Service Level Advisory Boards (SLABs), we developed a complex matrix of 155 skills outlining technical and non-technical skill and performance levels aligned to service line capabilities. Essentially a BFA compass that leads consultants in the right offensive security direction!

An internal system called Skillsbase tracks completed BFA courses. Tracking allows consultants to monitor their own individual skill matrix over time with respect to the larger matrix and compare their progress to desired job roles and service lines. These comparisons help consultants and managers develop effective training plans to drive careers forward and reach individual learning goals.

Additionally, the matrix and Skillsbase data help forecasting and resource allocation by enabling more accurate planning for future projects, staffing needs, and service expansion.

“We have a big matrix of skills; we have maps that outline which skills are tied to services and performance level expectations. For any given service at any given skill, we know the training resources that we can develop or identify to target that skill set at that level.” - Andrew Wilson, VP and General Manager (LATAM)


Mapping Out Career Development

For individual career development, BFA is a heavy hitter! BFA leans into individual career development for our consultants no matter where a consultant may be on their journey. The aforementioned matrix serves as a map for job role expectations with an organized career path to get from point A to B or perhaps X, Y, or Z. With this comes a logical and repeatable system for job role expectations and career advancement.

For example, we have standardized methods to guide all junior external pen testing consultants along the matrix course work to align with promotion eligibility, service line expectations, and increased responsibilities in our organization.

To keep a pulse on career development from a larger work force perspective, BFA is closely tied into our consulting internship program. This relationship is important for our BFA program to provide repeatability of skill set development and expectations across the organization from entry-level jobs to tenured veterans.

We love to hack and want to make sure that we always continue to get better at it! If a Fox wants to learn or advance their skills in hardware testing, for example, there is a training path from start to finish that directly supports our service line connected to this skill set. Resources include internal and external courses, licenses for eBooks, playbooks, methodologies, and people to connect with. If there are pre-training courses required before jumping into hardware testing, such as application and mobile testing, BFA guides Foxes through the process to ensure no missteps happen.

Additionally, Bishop Fox offers a yearly training budget to all Foxes across departments and organizations. Each Fox can be current and learn the latest and greatest trends in their respective fields that contribute to the greater offensive security mission.


Planning for the Future

BFA is not only a robust continued education program, but it is a company resource that drives forecasting and resource allocation for our offensive security services. For resource allocation, this matrix will be a key asset for tracking what we have in our consulting knowledge bank.

When we need to have a broader view of our consulting organization, this program will help answer a few questions, such as:

  • What are all the current skill sets in the consulting teams?
  • How many consultants are aligned by skill to each service line?
  • How many consultants are at each role level?

Future forecasting will be significantly more accurate and agile because we can closely monitor what skill sets we have and what we need to recruit for. We are dedicated to ensuring that we have an adaptable process to find and retain the top offensive security talent.


Practice Makes Perfect

The next steps for BFA are just around the corner. Putting the virtual curriculum into practice with hands-on labs is a critical next step. By providing a virtual lab experience, Foxes can truly garner the important practical experience complimentary to instructional coursework needed to learn from mistakes in a completely safe, virtual environment. Diving into new skill sets, staying up to date on current skills, or refreshing skills that may have been collecting a bit of dust, will all be possible with virtual labs.

“Having all of the knowledge in the world matters only if you also know how to apply it. Reading may get you far, but there's no better teacher than real-world experience.” - Vincent Liu, CEO, Bishop Fox

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Andrew Wilson

About the author, Andrew Wilson

VP/GM Latin America

Andrew Wilson is responsible for managing the Bishop Fox presence in Latin America. He has presented at DEF CON, BSides, ToorCon, and AppSec. Andrew is the founder and lead organizer of CactusCon, the largest security conference in Arizona. His research and writing have been cited numerous times by OWASP. Andrew is recognized by Microsoft as an expert in application security, having previously been selected as one of only 19 Developer Security MVPs in the world.

More by Andrew

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.