Attacks/Breaches

4/4/2018
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Gamers Could Save the Cybersecurity Skills Gap

McAfee shares its firsthand experience on training in-house cybersecurity pros and publishes new data on how other organizations deal with filling security jobs.

Grant Bourzikas, McAfee's chief information security officer (CISO), swears by gamification as one of the key ways to invest in and retain security talent. It's a strategy his own company has adopted in building out its security operations center in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-fourths of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

Since much of the challenge of staffing a stable and successful security operations center (SOC) is retaining talent, the happier and more skilled the staffers, the better they operate and the longer they stay, according to the study, which polled 950 cybersecurity managers and professionals in organizations with 500 or more employees in the US, UK, Germany, France, Singapore, Australia, and Japan.

Some 54% of security pros who say they are "extremely" satisfied in their jobs engage in capture-the-flag games one or more times a year; 14% of pros who are unhappy in their jobs participate in those exercises.

Bourzikas says McAfee hosts tabletop exercises for its staff every two weeks, as well as monthly red exercises. "Gamification, I think, is about how I get people to think about the bigger picture" of their day-to-day security tasks, he says. "People that are new to cybersecurity want to focus on the shiny new threats and attacks and attack vectors. Most don't like [just] doing the basic operations stuff."

Gaming exercises help security pros improve and hone their skills, he says, and McAfee offers them to all levels of SOC staffers, for instance. "It gets them to think differently about the problem," he says. "On the gamer side, they can learn from their mistakes, how to beat [their] opponent."

As part of McAfee's tabletop exercises, the participants learn to understand the type of a breach and what to do when it hits, for example. "It's a way to think about present conditions and coming up with new ways" to add to the playbook, he says. "How do we understand and challenge the assumptions we have today?"

Some 52% of the organizations in the survey say they experience turnover of their full staff on a yearly basis. Nearly 85% find it difficult to get the talent they need, yet 31% say they don't actively work to attract new blood.

"My view is that it's more of a skills shortage than a people shortage," Bourzikas says. "It's critical to have a talent program for attracting, retaining, and developing" people, he says. "How do you give people who come in a career path where they feel rewarded and feel they are compensated and taken care of?"

In McAfee's new study, close to 90% of security pros said they would consider leaving their jobs and going elsewhere with the right incentives, while 35% say they are "extremely satisfied" and staying put.

According to Dark Reading's "Surviving the IT Security Skills Shortage" survey last year, more than half of organizations claim to have some highly skilled staffers but also have some who "need a lot more training." Fewer than one in four say their teams are well trained and up to date on the latest technologies and threats, according to the report.

Automation
Automating mundane SOC and other security tasks is the Holy Grail, of course. More than 80% say automation would make security defenses work better. Bourzikas points to the promise of machine learning, neural networks, artificial intelligence, and human-machine teaming as the key to happier security pros and more-secure organizations. "If we can automate those mundane tasks we face, then we can focus on the rest of it," he says.

Bill Woods, director of information security for McAfee's converged physical and cybersecurity operations, says there's still no such thing as a perfectly secure system.

"You have to accept the fact that you are never going to have impenetrable systems. It's always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you," he says. "It's always going to be a battle. But that is what keeps the job interesting."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:35:34 AM
So-called shortage
This is why enterprises need to give up on the "cybersecurity talent shortage" myth. The technologies, vulnerabilities, and exploits are going to be constantly changing. Consequently, the good guys will always be at least somewhat behind and need upskilling. Better to get good workers who are willing and able to learn and adapt now than wait for Prince Charming.
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...