Does CambiOS Academy Shake Up The OT Security Training Market?

There were 12 organizations at the OT Security Training Roundup at S4x25. The entry bar was low. Buy a ticket and have an OT security training course to promote. The most noteworthy entrant was the launch of CambiOS Academy.

The founders behind CambiOS Academy are a well known list of experts in OT security. Markus Braendle, Marty Edwards, Rebekah Mohr, Jonathan Pollet, and Derek and Trisha Harp. The faculty is an even longer list of equally impressive names. There is plenty of brainpower and experience to feel confident then could teach students at all levels and on almost any OT security topic.

The question is can they make a business out of this?

Today the OT security training market is SANS and then a number of lesser players. Lesser not necessarily in the content or student experience. Lesser in the number of students and market share of the OT security training dollars. SANS is the most expensive, and it also is the largest. They have a proven successful methodology for course development and teacher training and certification.

SANS also has a strong brand and marketing team, and the tight relationship with Rob Lee, Dragos, and their marketing talent. SANS is developing new courses for OT security every year. They like this segment of the cybersecurity training market.

SAN's price point, particularly for online courses, opens a door for competitors.

Prior to CambiOS there hasn't been a serious competitor.

• ISA offers courses and certifications that get mixed reviews that are highly dependent on who is teaching the course. They lack the training methodology and instructor training rigor that SANS has, the marketing chops, and it's hard to see how they turn this around without a significant infusion of talent and money.
• Specialty Courses Taught By Top Talent - We had three at S4x25: Joe FitzPatrick, Joel Langill, and Joe Slowik taught courses that students raved about. These aren't serious competition for SANS because they don't scale. It's an option you should consider if the topic and location works for you, but SANS isn't worried about this.
• Government / Lab: Prior to SANS the leader in OT Security Training was INL. They have one distinct advantage. Their courses are free. They also have trouble scaling, need .gov funding which comes in and out, and we are repeatedly told national labs are not allowed to compete with private industry.
• ICS Vendor Courses: Many ICS vendors offer online and in person courses. Usually these are on their technology. In some cases, such as OPSWAT Academy, they have a broader offering. This will always be a sideline for these vendors.

I'm guessing this OT security training landscape was appealing to the CambiOS team. If they can come in at a much lower price point and offer quality training, perhaps with more of an automation/OT bent, there is a position to be claimed.

A "much lower price point" is difficult for in-person training for a business. An individual/speciality course can do it, but the business has a lot more overhead, a lot more people to pay besides the teacher. One approach that could work for in person training is holding it at and for large asset owners. The asset owner provides the training facility, the food / drink, etc. I'm unsure how big this market is. How many companies want to train 20 people in their company?

The window, the position, where SANS might be vulnerable is in online training. SANS typically charges the same $8K or $9K for online training. This is probably so they don't cannibalize their in-person training, or maybe they do it because they can. It's not difficult to map out how a business could charge $3K or less and make money on the online courses.

CambiOS hasn't put out much information on their offering and approach, and I won't share private discussions. They are keenly aware of potential positioning vis-a-vis SANS.

Would you bet on CambiOS success? While I'm rooting for more OT security training options, the odds are against CambiOS becoming a "serious competitor" to SANS. The two main reasons are 1) the team doesn't have anyone who has run a training business that has scaled beyond the specialty category. And 2) there are too many leaders involved. It's great for a launch to show all this talent, and 3 years from now they might be able to use half of this talent. This may not be a big issue if most of those people have their names on the site for support and affiliation, and don't expect to do much or get much.

CambiOS could provide great courses and teach 100s of students each year, and even make some money, and still not be a serious competitor to SANS. In the same way that S4 isn't a serious competitor to RSA, Black Hat or DefCon.

Bravo to the CambiOS team for taking their shot.

Sign up for my ICS Security: Friday News & Notes.