Attacks/Breaches

4/4/2018
03:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Gamers Could Save the Cybersecurity Skills Gap

McAfee shares its firsthand experience on training in-house cybersecurity pros and publishes new data on how other organizations deal with filling security jobs.

Grant Bourzikas, McAfee's chief information security officer (CISO), swears by gamification as one of the key ways to invest in and retain security talent. It's a strategy his own company has adopted in building out its security operations center in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-fourths of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

Since much of the challenge of staffing a stable and successful security operations center (SOC) is retaining talent, the happier and more skilled the staffers, the better they operate and the longer they stay, according to the study, which polled 950 cybersecurity managers and professionals in organizations with 500 or more employees in the US, UK, Germany, France, Singapore, Australia, and Japan.

Some 54% of security pros who say they are "extremely" satisfied in their jobs engage in capture-the-flag games one or more times a year; 14% of pros who are unhappy in their jobs participate in those exercises.

Bourzikas says McAfee hosts tabletop exercises for its staff every two weeks, as well as monthly red exercises. "Gamification, I think, is about how I get people to think about the bigger picture" of their day-to-day security tasks, he says. "People that are new to cybersecurity want to focus on the shiny new threats and attacks and attack vectors. Most don't like [just] doing the basic operations stuff."

Gaming exercises help security pros improve and hone their skills, he says, and McAfee offers them to all levels of SOC staffers, for instance. "It gets them to think differently about the problem," he says. "On the gamer side, they can learn from their mistakes, how to beat [their] opponent."

As part of McAfee's tabletop exercises, the participants learn to understand the type of a breach and what to do when it hits, for example. "It's a way to think about present conditions and coming up with new ways" to add to the playbook, he says. "How do we understand and challenge the assumptions we have today?"

Some 52% of the organizations in the survey say they experience turnover of their full staff on a yearly basis. Nearly 85% find it difficult to get the talent they need, yet 31% say they don't actively work to attract new blood.

"My view is that it's more of a skills shortage than a people shortage," Bourzikas says. "It's critical to have a talent program for attracting, retaining, and developing" people, he says. "How do you give people who come in a career path where they feel rewarded and feel they are compensated and taken care of?"

In McAfee's new study, close to 90% of security pros said they would consider leaving their jobs and going elsewhere with the right incentives, while 35% say they are "extremely satisfied" and staying put.

According to Dark Reading's "Surviving the IT Security Skills Shortage" survey last year, more than half of organizations claim to have some highly skilled staffers but also have some who "need a lot more training." Fewer than one in four say their teams are well trained and up to date on the latest technologies and threats, according to the report.

Automation
Automating mundane SOC and other security tasks is the Holy Grail, of course. More than 80% say automation would make security defenses work better. Bourzikas points to the promise of machine learning, neural networks, artificial intelligence, and human-machine teaming as the key to happier security pros and more-secure organizations. "If we can automate those mundane tasks we face, then we can focus on the rest of it," he says.

Bill Woods, director of information security for McAfee's converged physical and cybersecurity operations, says there's still no such thing as a perfectly secure system.

"You have to accept the fact that you are never going to have impenetrable systems. It's always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you," he says. "It's always going to be a battle. But that is what keeps the job interesting."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:35:34 AM
So-called shortage
This is why enterprises need to give up on the "cybersecurity talent shortage" myth. The technologies, vulnerabilities, and exploits are going to be constantly changing. Consequently, the good guys will always be at least somewhat behind and need upskilling. Better to get good workers who are willing and able to learn and adapt now than wait for Prince Charming.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10091
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow XSS.
CVE-2018-10093
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
CVE-2017-2659
PUBLISHED: 2019-03-21
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
CVE-2017-16231
PUBLISHED: 2019-03-21
** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...
CVE-2017-16232
PUBLISHED: 2019-03-21
** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.