For infosec pros, fighting threat actors is no game. Maybe it should be.
Adding more learning games — called gamification — is one of the suggestions raised by an international survey of 950 cyber security managers and professionals in seven countries paid for by McAfee.
In response to one question, 80 per cent of respondents who said they are extremely dissatisfied with their jobs (and that was about one per cent of all respondents) said they wished their organization ran cyber security games like bug bounties or hack-a-thons.
Of those whose firms do use gamification
• more than half (57 per cent) of respondents said that using games increases awareness and IT staff knowledge of how breaches can occur
• 43 per cent say gamification enforces a teamwork culture needed for quick and effective cybersecurity
• and just over three-quarters (77 per cent) of senior managers agreed that their organization would be safer if they leveraged more gamification.
The report, issued Tuesday, surveyed 950 cybersecurity managers and professionals in public and private-sector organizations with 500 or more employees in the U.S., the U.K., Germany, France, Singapore, Australia, and Japan.
The report, called “Winning the Game,” says survey results suggest there are three “clear winning factors to boost the effectiveness of defenses against cyber security threats:” Job satisfaction of cybersecurity employees, automation and use of gamification.
According to McAfee, about 40 per cent of organizations in the survey said they run some kind of gamification exercise at least once per year. The most common is capture the flag (the IT staff are split into two teams, each trying to attack the other’s system while defending their own), followed by red team versus blue team (dedicated infosec teams are either split in two for the same purpose, or an external company is hired to be the red [attack] team.)
As an aside, an overwhelming majority of respondents (92 per cent) also agreed video and gamers possess skills that make them suited to a career in cybersecurity.
Gamification has been used for a range of reasons in enterprises, including learning new skills (particularly security awareness and to learn about new software or a business process), contribute ideas or understand how to work better together. Some games — many of which are cloud-based offerings — earn participants points, certificates or minor prizes. Perhaps the best known is Badgville.
In an interview a few years ago Gartner research vice-president Brian Burke, who had written a book on the strategy, stressed that games have to be designed to help people attain their goals, not the organization’s. Ideally, they align.
Among the other findings, money, opportunities for promotion and shorter/more flexible hours are the prime reasons infosec respondents said they would leave their jobs. That’s important for CISOs to keep in mind when thinking about how to retain staff in an era when skilled talent is in demand. However, CISOs should keep in mind what respondents said gives them the greatest levels of enjoyment in their jobs: Threat hunting/finding vulnerabilities (55 per cent), resolving threats (55%), and preventing threats entering the network (54%).
“It’s perhaps no surprise that such types of cybersecurity work appeal to many security staff, with just over a fifth (21%) of security professionals saying a threat hunter position either in their current organization or elsewhere is a career aspiration.”