Security vendors’ construction of cybersecurity coalitions mirrors the us-versus-them implications of recent geopolitical episodes – but with opponents building their own coalitions, CISOs may need to consider gamifying their own operations to get often apathetic security staff into the right mindset.
The recent multinational condemnation of Russia’s ongoing cybersecurity probes – as well as incidents such as NotPetya’s global disruption and North Korea’s plundering of financial institutions – have escalated awareness of cybersecurity’s global nature and implications.
Fully 12 percent of breaches examined in Verizon’s recent Data Breach Investigations Report (DBIR) 2018 involved actors who were identified as nation-state or state-affiliated, with 13 percent motivated by the gaining of strategic advantage and fully 50 percent carried out by organised criminal groups.
In recent weeks, the Microsoft-driven Cybersecurity Tech Accord unified 34 industry players as the industry builds a coalition to secure customer data against government interference, abuse of customer data, and the well-organised and well-resourced teams now creating havoc for many online vendors.
The launch of formal cybersecurity training programs – Microsoft, for one, will offer 5000 government workers subsidised training on cloud security, while Vault Systems will train 3000 public servants – is intended as a shot in the arm for government bodies. Student networking is also proving fruitful, while the Waikato Institute of Technology this month brought the Fortinet Network Security Academy to New Zealand.
Yet enterprise defenders aren’t the only ones with security qualifications: according to the recent Nuix Black Report 2018, fully 22 percent of black-hat hackers have from 3 to 5 technical certifications, with 13 percent holding 5 to 10 certifications and 5 percent having more than 10 such certifications. Despite this, 78 percent of hackers said they believe those certifications are not good indicator of technical ability.
As cybersecurity experts push for a clearer national statement on Australia’s offensive cybersecurity policies and government agencies try desperately to improve their deficient security game, individual enterprises are exploring new ways of attracting cybersecurity talent.
Let them play games
For an industry that has traditionally relied on industry certifications to vet and develop staff, the increasing intensity of cybersecurity attacks is reinforcing the need for a different approach.
in the wake of ongoing struggles to attract and retain problem-solving cybersecurity staff – who, a recent McAfee study found, are frequently dissatisfied with their jobs and would welcome more regular hands-on cybersecurity experiences.
Just 35 percent of 950 CISOs in 7 countries, who participated in McAfee’s Winning the Game study, said they were extremely satisfied in their current jobs while 89 percent said they would consider leaving their roles if offered the right types of incentives.
Gamification was heralded as one of the most desirable incentives, with threat hunting and finding vulnerabilities named as the most enjoyable part of cybersecurity careers. Fully 80 percent of the extremely dissatisfied employees who said their organisation does not use gamification strategies, said they wished their organisation would run regular hacking practice such as capture-the-flag exercises and bug bounties.
Such exercises are strongly correlated with improvements in staff morale, with 96 percent of respondents saying their gamification efforts had delivered benefits in areas such as teaching IT staff how breaches can occur (named by 57 percent), how to avoid becoming a victim of a breach (49 percent), and how to best react to a breach (46 percent).
Fully 23 percent said that running cybersecurity wargames had helped to recruit and attract the best cybersecurity staff, with gamers in particular valued because of their strengths in logic (56 percent), persistence (46 percent), being a quick study (44 percent), having an understanding of how to approach adversaries (43 percent), and having a fresh outlook compared with ‘traditional’ security hires.
Apart from boosting staff morale, gamification may well put cybersecurity staff in the mindset to take a more proactive approach to dealing with a surge in organised attacks. With nation-state attackers refining their tactics and moving away from general politically-motivated disruption, gamification may prove to be an invaluable defence against opponents that have found it all too easy to fire off massive salvos of attacks or DDoS disruptions.