Attacks/Breaches

4/4/2018
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Gamers Could Save the Cybersecurity Skills Gap

McAfee shares its firsthand experience on training in-house cybersecurity pros and publishes new data on how other organizations deal with filling security jobs.

Grant Bourzikas, McAfee's chief information security officer (CISO), swears by gamification as one of the key ways to invest in and retain security talent. It's a strategy his own company has adopted in building out its security operations center in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-fourths of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

Since much of the challenge of staffing a stable and successful security operations center (SOC) is retaining talent, the happier and more skilled the staffers, the better they operate and the longer they stay, according to the study, which polled 950 cybersecurity managers and professionals in organizations with 500 or more employees in the US, UK, Germany, France, Singapore, Australia, and Japan.

Some 54% of security pros who say they are "extremely" satisfied in their jobs engage in capture-the-flag games one or more times a year; 14% of pros who are unhappy in their jobs participate in those exercises.

Bourzikas says McAfee hosts tabletop exercises for its staff every two weeks, as well as monthly red exercises. "Gamification, I think, is about how I get people to think about the bigger picture" of their day-to-day security tasks, he says. "People that are new to cybersecurity want to focus on the shiny new threats and attacks and attack vectors. Most don't like [just] doing the basic operations stuff."

Gaming exercises help security pros improve and hone their skills, he says, and McAfee offers them to all levels of SOC staffers, for instance. "It gets them to think differently about the problem," he says. "On the gamer side, they can learn from their mistakes, how to beat [their] opponent."

As part of McAfee's tabletop exercises, the participants learn to understand the type of a breach and what to do when it hits, for example. "It's a way to think about present conditions and coming up with new ways" to add to the playbook, he says. "How do we understand and challenge the assumptions we have today?"

Some 52% of the organizations in the survey say they experience turnover of their full staff on a yearly basis. Nearly 85% find it difficult to get the talent they need, yet 31% say they don't actively work to attract new blood.

"My view is that it's more of a skills shortage than a people shortage," Bourzikas says. "It's critical to have a talent program for attracting, retaining, and developing" people, he says. "How do you give people who come in a career path where they feel rewarded and feel they are compensated and taken care of?"

In McAfee's new study, close to 90% of security pros said they would consider leaving their jobs and going elsewhere with the right incentives, while 35% say they are "extremely satisfied" and staying put.

According to Dark Reading's "Surviving the IT Security Skills Shortage" survey last year, more than half of organizations claim to have some highly skilled staffers but also have some who "need a lot more training." Fewer than one in four say their teams are well trained and up to date on the latest technologies and threats, according to the report.

Automation
Automating mundane SOC and other security tasks is the Holy Grail, of course. More than 80% say automation would make security defenses work better. Bourzikas points to the promise of machine learning, neural networks, artificial intelligence, and human-machine teaming as the key to happier security pros and more-secure organizations. "If we can automate those mundane tasks we face, then we can focus on the rest of it," he says.

Bill Woods, director of information security for McAfee's converged physical and cybersecurity operations, says there's still no such thing as a perfectly secure system.

"You have to accept the fact that you are never going to have impenetrable systems. It's always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you," he says. "It's always going to be a battle. But that is what keeps the job interesting."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:35:34 AM
So-called shortage
This is why enterprises need to give up on the "cybersecurity talent shortage" myth. The technologies, vulnerabilities, and exploits are going to be constantly changing. Consequently, the good guys will always be at least somewhat behind and need upskilling. Better to get good workers who are willing and able to learn and adapt now than wait for Prince Charming.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.