Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Ready, Game, Train, GO!

As an employer, it can be difficult to gauge the hands-on experience of potential cybersecurity hires. Yes, they come with the right degrees and the right certifications, but can they do what you are hiring them to do? How can you assess their hands-on capabilities? Eric Basu and his company, Haiku, Inc., created World of Haiku to help bridge the gap between employers and aspiring cybersecurity professionals. We talk to him this week to learn how the game came about, the difference between gamified training and games that train, and future plans for the game.

Tune in to this episode of Ask A CISO to hear:

  • The inspiration behind World of Haiku
  • The psypsychological overlaps between game designers, gamer, and a cybersecurity practitioner
  • Difference between gamified training and games that train
  • The reception of the game so far
  • Theoretical vs hands-on knowledge
  • How World of Haiku is helping to bridge the gap between employers and aspiring cybersecurity professionals
  • Gamified training vs Games that train
  • What games Eric plays and the genres he likes
  • What’s in store for the game

About The Guest: Eric Basu

Eric Basu is the Chief Executive Officer of Haiku, Inc., a company that makes games that train. Their product suite includes the World of Haiku, a role-playing game set in a dystopian cyberpunk future that teaches players real-world cybersecurity skills that align with CEH (Certified Ethical Hacker) and other cybersecurity certifications.

Prior to heading Haiku, Inc., Eric helmed Sentek Global for more than 2 decades, where he steered the company to being a leader in cybersecurity and technology solutions for government and commercial clients.

Outside of his professional commitments, Eric is also a Limited and Venture Partner at The Veteran Fund, a Member on the Board of Directors for the Las Vegas Metropolitan Police Dept Foundation and a Member of the Board of Advisors for Saved in America, a non-profit that helps rescue and rehabilitate trafficked children.

Eric spent almost a decade as a Special Warfare Officer with the US Navy SEALs.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Jeremy

Fantastic.

What you've just seen was a trailer for the World Of Haiku, really exciting stuff here. And we are delighted to be joined today on the Ask A CISO podcast by the creator of World Of Haiku, Eric Basu.

Eric, thank you so much for taking the time to join us here today.

Eric

Yeah. Good morning, Jeremy.

Thanks for the opportunity to be on your podcast.

Jeremy

Well, it's really a pleasure to have you.

And maybe just before we kind of dive into the conversation, let me just take a minute to give a quick introduction for those who have just witnessed that trailer and maybe would like to know more about you.

So, what I can share with the audience is that Eric Basu is the Chief Executive Officer of Haiku Incorporated, a company that makes games that train. Their product suite includes World of Haiku, a role-playing game set in a dystopian cyberpunk future that teaches players real-world cybersecurity skills that align with CEH, Certified Ethical Hacker, and other cybersecurity certifications.

Prior to heading Haiku, Eric headed Sentek Global for more than two decades where he steered the company to being a leader in cybersecurity and technology solutions for government and commercial clients.

Outside of his professional commitments, Eric is also a limited and venture partner at the Veteran Fund, a member on the Board of Directors for the Las Vegas Metropolitan Police Department Foundation, and a member of the Board of Advisors for Saved In America, a non-profit that helps rescue and rehabilitate trafficked children. Eric spent almost a decade as a special warfare officer with the US Navy SEALs.

That is quite an impressive and diverse background if I do say so myself, Eric. It's a real pleasure to have you on today, as we talked about, and I guess just to kind of kick off the conversation coming off of viewing that, what was the inspiration? What kind of led you to start World of Haiku?

Eric

I, I appreciate you asking that.

My last company, Sentek Global, was a defense contractor and we hired a lot of cybersecurity people. And I found that as I was hiring cybersecurity people, a lot of the time they'd come in with degrees or they'd come in with certifications, but none of that was really a measure for whether they could do the hands-on work.

And we hired a variety of people. We hired Department of Defense compliance people. We hired security engineers. We did a little bit of pen-testing, the offensive cybersecurity side. But really, there was no way to tell that unless we had a hands-on way of checking their ability to actually do the work. And so we actually looked at SCSC, a company called SCSC was spinning off a product called Cyber Nexus, which was a Capture The Flag-type of platform. And we had looked at potentially acquiring that.

And then as I left that meeting, I was talking to my technology guy and thought, you know, a couple things. One is, it was built on Big Iron; we should rebuild this in the cloud. And then two, I said, we should actually need to offer this to consumers because they're only offering it to government and academia. And the reality is if you can offer a cost-effective platform for training, hands-on, people, hands-on that doesn't exist.

And that was about six years ago and that it didn't exist. And so fast forward, I sold that company, my last company, Sentek Global, to Deloitte in July of last year, and I immediately spun up Haiku to do exactly that, to be able to build video games that teach people how to do skills. And we put out kind of what I like to call a marketing alpha, which was, you know, as a, I'm a serial entrepreneur, and so I believe the best way to do market research is give something to people and see it to buy and see if they wanna buy it. And if they don't wanna buy it, then ask them why.

I mean, that's yeah... Sorry, it sounds very basic, but I mean, I have an MBA from UCLA and you know, there's all kinds of different ways to do high-level analytics for market research. The best thing is put it out in front of your target audience and see if they buy it.

So, the feedback we got from marketing alpha was immediate. It was called the Haiku range, is what we called at the time. We put a video game front end on top of an AWS backend so that people could go in and we carry them through the hero story of the video game in the back end, they're actually banging on AWS network, and the feedback was immediate.

People who said, I love the idea of a video game that teaches me cybersecurity, but guys, this is too darn hard. I don't know what to do when you put me at the Kali Linux interface, I need more, I need more handhold. I need more, I need, I need to have somebody you know, help me more. And you see that now with people that try products like TryHackMe, and I've heard this time and time again as if you wanna get into cybersecurity and you're coming completely cold, and you go to TryHackMe, it's not easy, right?

I mean, it takes a lot of focus of effort. The other people that I heard from were people that were actually cybersecurity professionals say, you're gonna gimme a Kali box and I can bang on the back end. Great, can you please get rid of this front end? Because it's just keeping me from doing what I'd like to be doing, which is just getting into the hard stuff, right? Just gimme a Kali box some goals and let me go.

So we developed our two products from there. The World of Haiku is a no-kidding video game. We basically hired a whole video game team. Vincent Aliquo is our lead video game developer. Brilliant, very, very talented. and I went to the team, and I had them all read a book by Celia Hodent. She's very brilliant as well. She is a UI/UX developer, but she wrote a book called The Gamer's Brain and it talks about ... she's a psychologist, I believe as well. And she says, how do you use your video games to teach people the skills they need, and she did it with the idea of having people enjoy your game more.

And I looked at that, and I've been thinking from the beginning, you know, I used to play Dungeons and Dragons as a kid. So I can still tell you the difference between a ... and a hippogriff, a manticore. Completely useless information, right? Nobody's gonna hire me and go, well, you know ... You have some questions never been asked in a job interview. But it went in my long-term memory, and it's been there for 40-plus years.

And so, I thought video games teach us ... if you're a first-person shooter person, the ability to do a drop shot 360, it's long-term memory. You pick it up again and you get it the ability to do, you know, I like Elder Scrolls, the ability to do potions in Elder Scrolls, that's all sitting in my long-term memory.

So, video games teach, and it's a combination of, they break down your barriers because you're having fun, and two is, they actually have a way in which they do that. And Celia Hodent in her book really, really hit that well, so I made the entire, well, I didn't made them. I told everybody it's mandatory. You have to read this book. And we developed the learning engine actually in World of Haiku.

And one of the things we do, for example, is Celia recommends this, is you introduce a concept once, you introduce it a second time. You refresh the brain with a different concept, go off, and fight some other monster. Then you come back and you do kind of an FTX or a boss fight or something to ingrain that. And so, we went back, and we spent a lot of time and I said, we need to get that learning core engine right.

And let's do that repeatedly for the different concepts that we have in the World of Haiku. And I have to say, I think it was a real success. I mean, I had one person who messaged us on Facebook Messenger and said he was Australian Defense Forces. And he had installed Linux two months before and really wanted to get into cybersecurity. But he said, I have not been able to figure out how to do this. I just hadn't been able to focus because he said he had PTSD. And he said with your game World of Haiku, he goes, I can't stop playing it. This is the first time I've been able to understand Linux because of the way you're doing it, and so little data points like that.

I was playing it one weekend through mission five, and I thought my muscle memory for Linux is better than it's been in my life. I read a review just a few minutes later from somebody saying my muscle memory for Linux is better than it's ever been before in my life.

So we've definitely hit something that is helping people who were not able to, you know, go into a Kali Linux box just naturally and go, my God, I'm a I'm, you know, I'm a Beethoven, And I can, my fingers can fly over the keyboard. And they're getting it. And so, we were really happy about doing that. And the whole idea there is we teach more complex skills.

The other thing we did with the World of Haiku is we built a simulated environment so you may feel like you're in a Linux box, but you notice when you type a man command, you don't get four, five pages of stuff you have to go sift through to try to figure out what it was that you were trying to find. You actually get a very short paragraph and it's highlighted in green and red with all the things you need to know. And you have an active manual where it'll actually take only the commands that you've learned and put it in that.

So, you're not dealing with 300 Linux commands. You're dealing with the five commands that you've learned and so I've heard some feedback from people say, well, there are other commands that you could put in here. I'm like, okay guys, we have to build all this for one thing.

I mean, so yes, there are a hundred commands, but unfortunately, I'm not a, you know, I'm not a billionaire with a billion dollars to throw at this. This is all bootstrap company and we're all trying to make it work with our dev team but what we've done with the commands, we have people really seem to be absorbing the concepts better than they could have.

And sorry, that was kind of a long monologue.

Jeremy

No, that's great.

Eric

That was a lot of the thought that went into Haiku.

Jeremy

Look, there's so much to unpack in that alone, but I can tell you, like, as you're going, so many things are firing in my brain.

One of the things that definitely fired was, up, up, down, down, left, right, left, right, B, A, which is one of those muscle memory, things that I think is actually like really real and from a gamer's perspective, like putting people in a familiar context, that they know that they have some muscle memory for, it's a very, very conducive environment to then opening up new things. If you think about games and kind of the quests that you go on, accumulating skills that psychological point that you mentioned, you know, you introduce a concept, you reinforce it, then you introduce a different concept, and then you reference back to that original one. You've got this kind of contextualization of a learning path as you go there.

There's so much we could dive into and so on, and I've thought about how you're talking about building up an array of accumulated skills that you then, you know, grep into that manual when you're issuing the commands. I could see that as well, playing out.

But one question I wanna ask is, as you were going through kind of asking everybody on your team to read that book or requiring them to read that book, what in that kind of, did you see as the psychological, let's say overlap between a game designer or a game player and a cybersecurity practitioner? Because you've been a cybersecurity practitioner or a cybersecurity leader for decades at this point, right?

And so there's gotta be some kind of elements of common psychological, maybe profile is too strong a word, but some kind of common interests or, or common, let's say, learning approaches that you must have thought about as you thought about kind of merging those worlds of gaming and cybersecurity.

Any thoughts, anything come to mind there?

Eric

Yeah, that's a great question. Thank you.

And you're right, that's an hour conversation just by itself, I think. Some of the common, so what, some of the observations, the outside observations: one would be that cybersecurity is not easy to learn. And that's one of the reasons I thought if we could take a completely different approach to it and, and you see this because again, TryHackMe didn't exist.

And my hat's off to those guys that built that. I mean, they came outta nowhere and they have 1.7 million users in a couple years and they're straight out of college, you know. I love the, I know they're British, but the American dream, I call it, about starting your own business and they've been phenomenal and I'm really happy whenever I see that.

But I keep hearing, for example, it's too hard.

Jeremy

Right.

Eric

And I can see that. I go into TryHackMe and, I play the rooms and I'm kind of like, what does this mean for me in the big picture? What does this mean? How does this connect me to a job? How does it connect me to a certification?

And to be honest, if I hadn't been in cybersecurity, I don't think I would've been able to do this.

There are tons of videos out there online that you can look at as well, and even those are not enough to be able to teach you the skills. There's certainly an overlap between cybersecurity practitioners and video game practitioners in terms of the geek factor.

Jeremy

Right.

Eric

People love, you know, the video that you showed at the beginning. I mean it was really funny. Somebody from PC Gamer wrote, I, I don't even call it a negative review because it was actually a really humorous review and he called the main character cyber clown. The one in the very beginning with the blue makeup and he kept ragging on that and ragging on that.

And one of the feedback and one of the comments from somebody was, I hate to tell you this, but that's actually how security analysts dress. We do dress in clown makeup. We all laughed at that. We thought it was hilarious. We thought it was a really funny thing.

But the geek factor is huge.

You know if you were to channel Star Wars, vector runs strong in these ones,

Jeremy

Right, right.

Eric

for both video games and the cybersecurity practitioners, but again, from my real take on this one is that we needed to make it easier. And there's great...

They just did a study on Duolingo. Are you familiar with Duolingo?

Jeremy

Yeah.

Eric

So, it's not truly a video game, although it's more video game-like than a lot of other gamified training programs. But they said if you do a beginner's course in Duolingo in French or Spanish, how does that compare to somebody in college? And they found out that if you do it, just the beginner's course, which you could do and be somewhere between one to three months, depending on how much you put time into it, time you put into it. It's the equivalent speaking, I'm sorry, listening and reading as it is to taking two years of college in French and Spanish.

Jeremy

Right.

Eric

And so you have basically a free or nearly free platform that has better learning results than the traditional, we've had university since what? 1200.

Jeremy

Yeah.

Eric

I mean for almost a millennium, you know, it's better than the ways we have been teaching ourselves for hundreds of years. And that's what we're trying to do with World of Haiku, is we know that cybersecurity is difficult to learn. We know that the degrees and the certifications have value, but they aren't necessarily what employers are looking for.

They're looking for experience, which means hands-on experience.

Jeremy

Yeah.

Eric

Can we teach that better than the traditional learning methods?

Jeremy

Yeah.

Eric

I'm sorry that was kind of a roundabout way into your question, but yeah, I think, I think what would proven the World of Haiku is the answer's yeah, absolutely yes.

Jeremy

Yeah.

And do you think that, that, to your earlier comment about kind of, let's say, people coming out of school, but not necessarily being ready to jump into those environments, that's one of those things that you hear kind of across the board in Information Technology domains, not only cybersecurity but even in things like programming, is that there's often a big gap between theoretical knowledge and applied knowledge?

It's taught one way from a theoretical standpoint, but once you get into an actual environment, you've got all these kind of non-theoretical factors going on. Things like pressure to deliver and deadlines and shipping times and collaboration, and by the way, you might have some teammates that are on very, very different levels than you some much, much further advanced and some who might be below you.

And so I imagine that's also gotta be one of those things that you're trying to help people do is to go from, let's say, some might come into World of Haiku with a theoretical understanding, but no real kind of practical hands-on keyboard, real-world experience.

Did that factor into some of the design decisions as well?

Eric

Kind of in both in World of Haiku.

I mean, World of Haiku is our product to get people with no experience, so... And again, back I've given you, is that it seems to be very, very good in that. We carry them over to Haiku Pro, which is definitely a more advanced product. It's a Chrome-based browser and you go in there and you log in and you can pick a range, and we've got a selection of ranges in the beginning, adding more ranges all the time. And we give a series of hints to help take you through that.

And it's a fun story, of course. One of 'em is Silk Road where there's some evil drug cartels that are doing bad things and you have to go hack their website and deface their website. And so just, you know, fun, fun stories, but then we also give hints so that if you're really stuck, you can go ahead and do the hints.

But the reality is unless you are really comfortable at a Kali Linux box, it's I wouldn't say, Hey, go Haiku Pro. You're gonna be, you're gonna fall right in there and you're gonna do great, 'cause I think most people will have the same experience they did with our Haiku range product is, Kali Linux is actually really hard.

Jeremy

Yeah.

Eric

You know, there's a lot of things in here that I wasn't able to get, but the context of what we're trying to do, I realize that as I, as I look at a lot of these products and I thought one is, um, Uh, you know, I, I hear people like one young lady on our Discord said, uh, do you have any recommendations for entry-level jobs? I don't know what to look for.

And I said, I tried SOC Analyst.

She goes, I've never know what that is. She typed in, she goes, oh my God, these are all entry-level jobs. And I thought, people don't have the context to know the skills, what the skills they're doing turning into in terms of jobs.

So we actually, because we're able to track everything in the Unity Engine that we build World of Haiku in, video games are great at that, right?

Jeremy

Yeah.

Eric

I mean, they're trying to monetize somebody from five feet and you can turn that into, you know, something. So you can, we measure everything in there. To a lesser extent in Haiku, but certainly, because it's a controlled environment, we can measure it. And so we're actually able to look at the individual skills people use, like Nmap for example, and we can go pull jobs that ask for Nmap. We can present...

Now 99% of the time, the job's gonna have other requirements that you don't match, right? They're gonna require three years of experience or OSCP or something. But the idea there is let's give people who are trying to get into cybersecurity, an idea of the kind of jobs that are out there, and then it might change.

Somebody might go, well, I have to be a pen-tester, and then they go on there and look, no, I don't wanna be a pen-tester. I want to be a Forensic Analyst. That's what I really like to do. And I didn't know about it until I was presented with this job. That's one thing we do and we call it Job Connect.

The other thing we do is because we can track everything they're doing, so we can actually give them and we're giving them when we release Haiku Pro at the end of September, that's gonna be in here as an available option for anybody that has World of Haiku, you can sign up for even the free Haiku Pro account, and then you'll get access to the skills resume and so you can go there and we're actually gonna be able to give somebody a resume. They can show to an employer and say, I have 100 hours in offensive cybersecurity. I'm rated in apprentice level two.

These are all examples.

As you break that down, the actual Nmap skill, I have used 65 times and I've spent an hour and five minutes using that skill, and I'm rated as an apprentice level one in Nmap. And then you go down for all the other skills that we're measuring.

And when I talk to employers about this, they, the CISO and just the hiring manager level, they're like, this is what I've been looking for. I can see the degree. I can see the certification. The years of experience are helpful, but knowing actually how many hours they've spent in the thing that I am hiring them for, that's gold.

And so that's, what we're trying to do is really, you know, because the main point of all this is the, these people on this side are trying to get a job. And these people over here are trying to hire qualified people. We're trying to make that these people over here have the right bona fides to get hired by these people over here.

Jeremy

Yeah.

And is that part of the Haiku career training path or the career training system?

Eric

Yeah. It's both it's, yeah. Yes. Short answer is yes, but that encompasses our Job Connect and the Haiku skills resume as well. Yeah.

Jeremy

Yeah.

I think that's really, really interesting, especially kind of going back to your earlier point about helping train people from the beginning and you gave that example of the woman who did the training and didn't even know about a SOC Analyst as being a role. That seems to be such a valuable kind of path to take somebody through that learning process, get them deeper, get them some applied hands-on learning, get them to kind of transition from theoretical into applied or if they're from that background, but then get them exposure into what is all out there, and I think that's really valuable and we hear, and I'm sure you've heard this stat and we actually had a conversation with a previous guest about whether there's too much truth in this or not, but we hear about, let's say, a shortage of cybersecurity workers.

And so any kind of initiatives like this that I think can help to fill roles and help customers do better with security has gotta be a net positive in the world. So kudos to you and your team for undertaking this.

I wanna take a little bit of a break from Haiku for a second and ask about some things that are kind of, I think of as being related to security training that are, let's say, maybe less on the specific cybersecurity practitioner profile, but more kind of general security.

And one of the things that comes to mind when I think about kind of cyber training platforms is, you know, this annual security training or the annual security review that a lot of organizations go through. It's something that we all dread. It's something that I've seen personally, I've seen people at their desks doing it, where they just run the videos on a second screen, let them go through because there's something tracking that they've actually watched all the videos and it becomes, in my mind, a kind of check the box exercise.

Does that kind of match with your observations over the years?

Eric

You know, you couldn't be more right.

I was just at Black Hat this last week. And I was, it's funny.

We solidified the games that train out of that cause I was talking to somebody and they said, so you do gamified training. And I thought about it for a second. I said, no, we do games that train.

And they said, well, it's the same thing, right?

I said, no, it's not.

I said, so if you take training, like security compliance training that's required. And so you put some badges on it, still boring, right? You put it in a video and you have people doing fun role-playing, still boring.

I mean, nobody looks at that and says, this is fun, right?

You take a game. By definition, a game must be fun, right? Something nobody's ever said is create a game and it's not gonna be fun. This is gonna be completely new. And because it's not fun, everybody's gonna no one, everybody's gone, you create a game by definition, whether it's a kickball or it's a card game or it's a video game, it must be fun because we're appealing to that part of our brains.

So we create games and we make two co-priorities.

One is the fun factor. The other co-priority is that it actually has to teach real skills. And that's what we did. And I actually talked to my dev team. I said, my two daughters have no interest in cybersecurity. And I told the team, I said, if my daughters don't wanna play World of Haiku, then we failed. And they actually internalized that. I actually jumped in on a meeting one time, a virtual meeting and heard somebody saying, if Eric's daughters can't play this game or don't wanna play this game, we failed.

I'm like, okay, good. You've already internalized that.

But the reality is we wanted to make a game that number one, was fun for people who don't even like cybersecurity. So I'm sorry. That's another long getting back to what you're saying is, and that's what we do is games that train, and so we're actually expanding into areas exactly like you talked about.

We've got a few different initiatives, which I can't really talk about too specifically,

Jeremy

Sure.

Eric

cause I like to wait till I actually have the product market first, but specifically where we're addressing issues like that, but we're creating a game. And it's the first and foremost as I look at a game perspective and a game builder perspective is what video game would I do to do this?

You know, for World of Haiku, we used a role-playing game, but would this be a role-playing game or would it be a trading card game? Or would it be kind of a puzzle game and what would it be? Now that I've got a game and we've got a fun game, how do I get all of these concepts that I'm trying to teach in the game so by the time they're done, they're just kinda like, that was a kind of fun way to spend a half hour getting paid by my boss.

They've internalized the actual concepts as well. So, you know, the games that train that is really what we do, cybersecurity offensive, that part of it, but all these other opportunities for being able to Let people learn better than they can through the current ways in which we're trying to teach them.

Jeremy

Yeah, Absolutely.

And as you were talking, I was just thinking about that, and you know, when we're kids, a lot of educational institutions, schools, et cetera, are really leaning into that idea of games that teach. And so, you know, very, very similar to what you're saying, games that train, and that's a, it is definitely different than, let's say, gamifying an exercise that is fundamentally a training exercise, and everybody knows that going into it.

And as you said, those things kind of often are dead in the water, but I do wonder, as we transition from childhood into adulthood and from school into careers, somehow that whole idea often gets thrown out the window of there being value in, in embracing a game that trains.

And yet, there's this saying that humans are often the weakest link in the defense chain. And I guess first, A, do you agree with that? B, do you think we should really, like, Go to HR departments or who do we need to go to, to get them on board with this idea that it's not about gamification?

It's not about trying to make our, quote-unquote, training platforms more fun. It, we should really, like, re-expose adults to games as a learning tool.

Who do we talk to?

Is it, is it CEO?

Is it the head of HR?

Eric

Yeah.

I love where you're going with that.

One is, I think you're 100% right. I mean, it's funny. One of my board members said, the problem is when we're selling at the board level, for example, the, I, the, you simply use the word video game and you turn off a huge number of them, 'cause they're kinda like video games? This is serious business. You're doing the word. Whatever it is, we do, and we're making billions of dollars a year, and we don't have time for video games, and that's kind of the same thing you think, right?

Unless you're really talking to somebody who's been a gamer their entire life, it's kinda like, I don't have time for video games. And I mean, as an example, I mentioned that I played Dungeon and Dragons when I was a kid. You couldn't say that 10 years ago, without people going, oh my God, you're kind of, oh, you're one of those freaks, right? Now I, you know, I mean, I got, I got the same example, sorry, response that you gave me when I tell people like, oh, that's cool.

I'm like, oh, it's cool now? Good. Okay, good.

You know, the idea that we can play really geeky out of the way, out of the world, the real world games because it helps us develop our minds in ways that the normal things we go through during our life don't stimulate our brains is something that I think people are coming more and more to embrace.

To answer your question who do we approach in the corporation? I'm not sure it's HR, because you have a lot of people in HR who are still old school, right?

Jeremy

Yeah.

Eric

Well, we know how to do it. I've got a PowerPoint presentation right here that teaches that. Why would I need a video? You know I'm not gonna buy a video game! I can't put that on a corporate, on my budget.

The ones that have found that most embrace it, at least for the cyber security side are the actual cybersecurity practitioners, particularly the ones that have played World of Haiku. And in their mind, they immediately recognize this is a better way to teach, and then they become evangelists and they start pushing it out there.

I think as we start having other things that we're teaching other than offensive and defensive cyber security in that niche, if we do security compliance training, for example, I think you get a few people who are forward thinkers within the organization and they actually play the game and they think two things.

One is, this is fun. Hey, I actually learned this stuff and I wasn't really even realizing that I was learning it. It wasn't a difficult task. They're gonna become the evangelist for that.

Right now I would say we're ahead of our time, quite a bit. I agree with you. In elementary school, the idea of a game that trains, we're gonna teach teamwork by playing this particular game. It's absolutely there, you know, there's a lot of creativity in some of these teachers, but at the corporate level, creativity is a little bit behind. So I think we're a little bit ahead of our time here but I don't think we're, you know, I, I don't think we're leaning too far forward in the skis.

As I look at the response people are getting, I'm like, I just need to get this in front of the right creatives at each company. And then they look at it and go, this is brilliant and we're gonna buy it.

Jeremy

Yeah. Yeah.

So coming back to the gameplay element for a moment, just on you personally, what do you play? What are your favorite games or what are your favorite genres?

Eric

Yeah. Yeah.

You know, I was, it's funny. Some of my best memories are ... I have two sons that are 27 and 21 right now, and some of my best memories as they were growing up was playing video games with 'em. We played City of Heroes was a fun game, cuz we're all into superheroes and comic books and everybody's into it now.

I have a huge comic book collection, and it was, again, one of those things I was embarrassed to say was like, what are those? Those are my comic books.

Jeremy

Yep.

Eric

Don't, don't judge me.

Jeremy

Yeah.

Eric

I was like, oh my God, you know, you actually know the origin of the vision, you know, and you've got the number, Avengers number 57. It's cool, right?

Yeah, but we played City of Heroes. That was one of our games we loved. We tried Champions Online when that came around. We did a lot of World of Warcraft. We did Command and Conquer, some of the old-school ones there.

Nowadays, unfortunately, I'm in startup mode, so I work 80-hour weeks, and I don't actually have a whole lot of time to play video games, even though it is actually research for me though. Unfortunately, most of my time is spent in meetings from morning to evening.

But I do like Destiny. I like it as a first-person shooter, I think Destiny combines enough role-playing aspects with enough First Person Shooter aspects to really be interesting.

I do like Elder Scrolls, the role-playing aspects of that one are incredibly detailed and the, and the worlds are beautiful. You know, for anybody that played Dungeons and Dragons as a kid, look at that.

I have not been able to get into Elden Ring. I downloaded it and I'm kind of like, I feel like this is a learning curve. This is gonna take me more than the free time that I have. And so I never quite got into that.

Jeremy

So, so they need a World of Haiku intro for, for Elden Ring, kind of get you that learning, get you over ... You need a World of Haiku intro level for Elden Ring to kind of get over that learning curve.

Eric

Yeah, it's almost like, it's almost like a profession trying to learn Elden Ring and I mean, it's beautiful. I look at it and go, I'd like to be into this, but I don't think I have the time for that.

Jeremy

Yeah.

Eric

And then I, I go through the Xbox and I look through for various games. I try not to play video games on my phone. I got caught into a Star Trek game. one time that was pay-for-play, and I ended up like a couple hundred dollars into it because people kept attacking when I was sleeping. And I'm like, this is more stressful. This isn't, this isn't fun. This is stressing me. So I had to leave the game.

Jeremy

Yes. I think you made the right move there.

I, I'm have a friend who was a game designer at one of those and I may or may not be able to confirm that there is definitely a, whoever pays the most wins element to a lot of those kind of free-to-play mobile attack strategy games.

By the way, I myself, military kid, I lost my comic book collection in one of the many moves during my childhood. I do look back on that with some level of regret, cuz I had, I think the first 20 issues of GI Joe which was something that I really gravitated to, and who knows, might have been able to pay for a year of, of one of my daughter's universities at this point. but yeah, that's awesome.

Eric

Yeah.

Jeremy

So a couple other things, what can you tell us about some of the future direction without, you know, obviously wanting to ask anything that you're not ready to talk about?

But I think of cyber as such a broad, broad space, you talk about kind of, let's say, things oriented around kind of Kali Linux and, and, you know, maybe some like offensive and defensive training stuff there. You thought about, or I imagine you thought about expanding into other aspects of cyber, like cloud security, GRC, things like that, or is that on the horizon at some point?

Eric

Absolutely.

One of the first things we got, the first feedback we got from World of Haiku is, I need more content.

It's kind of funny.

I mean, we, we did find that our real true, core fanatical audience of the cybersecurity folks, the gamers tend to be, they're looking for that quick hit, right? And so it, the, for the gamers, the feedback was always about like, one person came in and said, this game's only one hour of time. And I actually looked at that and I looked at their profile and I said, you have 10 and a half hours in the game, unless you played this 10 and a half times, you didn't finish this in an hour.

But you know, people like to brag, you know, that their time was, and they complained there wasn't enough time in there, but legitimate feedback from our cybersecurity people is can you give me more content? I would love this, you know, I would love blue team.

And so we've got a free DLC coming out at the end of September, same, coincidentally, just the same timeframe as our Haiku Pro release. And so we've got the free DLC coming out for World of Haiku. It's gonna include a blue team mission because we've got a lot of feedback on that.

And by the way, on our Haiku Pro, we made sure that we're trying to do a third of the range is offensive. One-third blue team, one-third forensic. Because, you know, it's sexy and fun. It is talk about being a hacker. The reality is 90% of the jobs plus are in defensive, they aren't offensive. So we've got the blue team scenario coming out at the end of September in World of Haiku.

We're looking at more mission repeatability. So if you're like in, you play Destiny for example, and you go to the vanguard missions, you've got side missions that have a certain amount of repeatability. We're looking to do that to help people build up their skills resume so that they don't just go through the game and go, well, okay, I only got Nmap 32 times, but the reality is it's kind of hard to go back and do the exact same thing.

Again, we're gonna give some repeatability, so somebody that wants to know every single switch on Nmap, we're gonna give you a game and you can go ahead, whenever you have five or 15 minutes, you can go and play that and you can learn a new switch and learn a new way to do Nmap and by the time you're done, you should really feel like I'm very, very comfortable with Nmap or whatever tool we have.

Jeremy

Yeah.

Eric

Those are a couple of things we're looking at.

The other thing we're looking at that we're really, really excited about is people have been saying, PVP, can we do PVP? Can we do PVP?

I came back from Black Hat and I was at the cyber games, and it's funny, the stadium, you know, they have a whole, Luxer has a whole stadium there and the stadium was empty and myself and Coleman, our cybersecurity lead, he, we were kind of like, I was like, this is really boring.

I mean, yeah, I can tell the guy's doing cross-site scripting up there, but there's a reason nobody's sitting in the stands. This isn't that much fun, I mean, to watch. You know, from a truly intellectual perspective when you know exactly what they're doing, but you have to immerse yourself into it to follow what they're doing. It's not like you can look at a tennis match and go, oh, okay, that was, that was a great hit.

I mean, you have to, you know, it's, there's a lot of cognitive requirements to be able to actually understand what's going on. And one of the, um, Eric Belardo, he's a leader of Raíces, he's a cyber influencer, and he actually made a great comment to me.

He goes, you get, you put the pew pew factor into cybersecurity training. And he goes, if you can turn that into a PVP, now we've got something that is interesting, that people would want to Twitch stream and people would wanna actually sit in the stadiums because you can actually watch somebody going from network to network in a fun, exciting, video game way, and so we're working on that.

Jeremy

Awesome.

Eric

It won't be until next year but we're gonna stick to our core. tenets of everything must be a real cybersecurity command. No getting around it. It's not gonna be any fake kill the attacker!

You know, all of a sudden their computer ... Everything you do in there is gonna be developing muscle memory on cybersecurity skills. And we're gonna work on the other basics, like game balance and the visual factor. What makes this interesting. And the goal from the PVP there is to get people one, more time in there so they're developing more muscle memory, and two is, get people who don't know anything about cybersecurity looking and go, that looks super cool and I think I want to do that, which nobody that goes to the cyber games would do that right now.

Nobody who's not in cybersecurity goes, oh my God, this is cool. I wanna, I wanna get some of this.

Right?

And so we want to give that, that fun factor and people are going, I don't know what they're typing, but I wanna learn it because I wanna play that game.

Jeremy

Yeah. Yeah. Awesome.

One, one question that arose from something you said at the beginning of that was one of the things that I often hear from people is, and it's been a long time since I've been a practitioner, almost 20 years at this point, since I kind of shifted over onto product and, and sales and stuff.

But I often hear from people that offensive and defensive mindsets are very, very different. And you'll hear that kind of, and I agree with you by the way, like 90% of roles are defensive. So if you think about, kind of jobs and careers, that's where most of, of the, that's where most of the legitimate money is, let's put it that way, right?

But, but that's ...

Eric

That's a good qualifier.

Jeremy

Yeah.

But you often hear that, on the offensive side, one of the things I hear is that, Hey, if you're trying to break into a system and you're not having luck, keep trying and try harder. And basically be more creative, start thinking about other tools, other techniques, you know, TTPs that you can bring to bear.

Do you find that that's something that you wanna kind of expand in people's mindsets in some of the design elements that you're, you guys are building out in World of Haiku?

Eric

Yeah.

One, I think you're exactly right.

I think if you're, it's the same in the military as well. I mean, if you're trying to, you know, whoever sets up their defenses, they're generally not going for overt creativity. right? They're going for very basics.

Let's roll the holes. Let's have a, you know, roaming patrol. Well, let's take that physical example. Let's have a roaming patrol. Let's have a good alarm system. Let's have cameras in different places. Let's have dogs if we need to have dogs, or if you're doing underwater, let's have other mammals that are used for defensive purposes against combat swimmer.

Sorry, kind of taking the analogy like really far, but from the creative standpoint, you gotta look at that from the outside and go vulnerability analysis, and they're actually target analysis and vulnerability analysis on course of the military to look at, you'd say, okay, well, there's a, this is a missile defense system and it's extremely hardened, extremely well defended.

How do I do it?

Well, it's only got one source of power and that power goes to that power station over there which is not defended at all. I'm gonna go hit that power station. So it's the exact same thing from a, it's one of the reasons I actually like cybersecurity, cuz it's probably closer to actual modern warfare than most, a lot of things you can do in the civilian world.

But it's a very similar thing is when you're putting up defenses, well, do I have all my defenses up though? Is my firewall up to date? Do I have everything patched? Do I have my rules in there? Do I have a good SIEM? Am I, you know, what are my reports? How frequently are my reports going? How often are we analyzing our logs? From the outside, you're kinda looking at going, assuming they have the standard defenses in place, what am I going to do to get around them?

Am I gonna do a USB drop that I'm gonna drop in the parking lot? Those are the 70% success rate that ... right? Am I gonna social engineer? Because I'm kinda like Kevin Mitnick and I'm a real wizard at this and I'm gonna go call the CEO's secretary and say, Hey, this is Microsoft. Can I have your password?

And so you definitely have to be more creative. I think there's without a doubt doing that. And so we actually, if you, in World of Haiku, particularly when you get past the training missions one through four, and you go five, six, seven, you very specifically, you've gotta be creative when you go in there. And I see people on our Discord stuck all the time saying there must be a bug in the game cause I'm stuck.

And other people come in and go, there's no bug. Maybe try thinking about it this way or try thinking about it that way. And so we absolutely have that.

Jeremy

It's a gamer's mindset game.

Eric

I mean, yeah, I mean, if you're a hacker, it's like playing a puzzle game.

How am I gonna figure out this puzzle? You must think about it in a different perspective. You know, Rubik's cube. I've gotta turn it a different way than I was turning it before. And so we absolutely incorporate that. That's a key part of the profession.

Jeremy

Awesome.

Well, we're running out of time here, but I wanted to, you know, ask one last question.

Everything that we've talked about today, I think is super exciting. I think it's gonna be really, really beneficial to everybody who goes through this training. And for those who are trying to get started in the industry or level up or find career options, there's so much potential for people out there entering the cyber practitioner, workforce.

So kudos to you and your team for addressing a really serious need that we all have.

On those lines, is there like an early success story that you can share with the audience, you know, an organization that you've worked with or some people that you can talk about? Anything would be awesome. I think that would be a great note to end today's discussion on.

Eric

Yeah.

Thank you.

I mean, the reception we had, you know, in Steam, we sold about 2,600 units in the first two weeks. I mean, just had a great reception When I was at Black Hat, I wore a Haiku shirt and I had people coming up to me and saying, you're Haiku and I'm like, I'm Haiku. You've heard of it? They're like, oh my God, I love your game. And I'm like, oh, okay.

And I actually brought, I had a Comic Con bag full of shirts. And so I gave shirts and people like they'd go to the bathroom and put the shirts on right away because they wanna, I'm like, okay, people love the game. Like fanatical! I've seen online kind of defending us, you know, one person came in and said, well, this is crap because or whatever, people say anything online.

Yeah.

And I saw people and it was actually interesting. I saw people leaping up to defend us and to our lead point, our lead developer said, it's not a good look when our marketing people are so aggressive online. I said, these are our marketing people. I don't know who they are.

Jeremy

These are fans.

Eric

They love the game. They sound like our marketing, but they aren't.

And we've had some others as well. We, um... San Diego Cyber Center of Excellence, they bought the World of Haiku as their platform for training. World of Haiku and Haiku Pro as their platform for training. It's a nonprofit in San Diego based upon setting up a cyber center. San Diego State University, we have a pro partnership with them. They've got a cyber certification program and they knew about us. And when I sat and talked with John and Winnie Callahan, who are the brains behind that whole certification program.

They said, hey, we'd love to have your product as an additional offering for our certification program to give people the hands-on skills and the connection. So when they finished certification, they've already got jobs that they know they can apply for. And they've got a skills resume showing what they've done. So they're super excited about it. I had another, a person, a defense contractor, say, and I was actually just gonna follow up with her saying she'd like to buy it for all their employees as a corporate offering.

Because the price, you know, we priced it at the price of video game. Everybody's kind of stunned by that, and they're like, oh, can, can I buy this?

So we've had a number of just real, real success stories where people in the industry are fanatical about what we've done and they wanna see more. And then other people who say we can use that. Yeah, I'm excited and knocking wood that we're gonna keep offering things that people want and continue to expand or offering improve it.

You know, as I talk about the gaming engine, the learning engine there, I continually wanna look at that and make it better and better every single time until finally people go, do you use Haiku? You know, why not? That's the best way you can train people.

That's kind of what I want to want to get out of this.

Jeremy

That's fantastic.

Well, Eric, thank you so much for taking the time to talk to us today and thank you for all that you and the team are doing over there to advance the overall kind of cyber community. Bring people into the fold and help make the world a safer place for all of us who are doing anything online, which is pretty much everybody in today's world.

Thanks again. My name is Jeremy. I've been the host for today's episode of the Ask A CISO podcast. Thank you to all of you in our audience for joining us.

We'll see you next time.

Jeremy Snyder

Jeremy serves on the Horangi advisory board. Jeremy Snyder has over 20 years of experience in IT and cybersecurity, with deep industry exposure in the M&A space. Some of his previous employers include Amazon Web Services, DivvyCloud and Rapid7. Jeremy has lived in 5 countries and speaks several languages. He is currently the Founder and CEO of FireTail.io, a leader in API security.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.