How to gamify cybersecurity preparedness
Organizations’ preparedness and resilience against threats isn’t keeping pace with cybercriminals’ advancements. Some CEOs still believe that cybersecurity requires episodic intervention rather than ongoing attention. That isn’t the reality for many companies; cyber threat preparedness requires a concerted training effort, so cybersecurity teams are ready when an attack occurs.
Cybersecurity practitioners often share curiosity as a key personality trait, and many enjoy hands-on learning approaches. This naturally makes gamified experiences like competitions and capture-the-flags a great fit. If you have teams that are already prone to good-natured competitive challenges amongst each other, or those who already have experience with college or high school cyber clubs, they may already be familiar with this type of training and enjoy bringing it to their work.
To that end, these are some key considerations for leaders to keep in mind as they revamp their training curricula and help their teams prepare for this new era of cyber threats:
Understanding company priorities, initiatives, and risks
With the cost of a data breach nearing $4.5 million, organizations can’t afford to have teams at odds during an emergency, when every minute counts.
Cross-training is valuable and should be incorporated into any training plan. It doesn’t just help with coverage in a crisis – it helps create a true purple team mindset and grows the team overall.
There’s a lot of value in, for example, a SOC analyst doing games designed for the red team or for an offensive security engineer to tackle log analysis and forensics. While team leads shouldn’t necessarily expect their governance or risk professionals to do memory forensics or secure coding challenges, fostering collaborative training where possible and relevant (even offline, like in a real-life escape room – more on that later) will strengthen cross-functional work when it matters most.
Leaders should take the time to look at which knowledge or coverage gaps exist, and how they directly impact the business. This can be done by looking at lessons learned in previous incident responses, audits, or sourcing conversations.
Understand your organization’s strategic goals, map the needed skills back to those goals, and then build out the training plan. For example, work in an industrial/manufacturing organization where safety is a key metric for the company. Exploring learning platforms that focus on securing industrial control systems may be beneficial. If a previous incident response identified that a web app misconfiguration resulted in a compromise, training focused on hardening, defending, or exploiting common web app issues may be a good starting place.
Overly competitive or advanced training ≠ better outcomes
Training can and should be rewarding, and gamification makes those rewards clearer for employees. Meet teams where they are and build in complexity as skills grow. It can be discouraging and detrimental to start a training program that leaves participants feeling imposter syndrome because it’s too advanced for them. Harder, more competitive, and more expensive training doesn’t always correlate with the best outcomes.
There are plenty of free and community-based training programs and environments to leverage, including – encouraging personal exploration of free capture-the-flags (CTFs), or using platforms to help gauge where strengths and weaknesses are before moving into paid services and corporate training design.
Training doesn’t have to be done on a computer, either. Games allow your teams to self-organize, strategize, manage time, and build communication while supporting them with resources or strategic guidance. So, a team-building exercise like an in-person escape room or card games like Black Hills Infosec’s Backdoors and Breaches serve this purpose. New or unlikely leaders emerge throughout these activities, and each person can learn about the strengths of their peers.
The goal of training shouldn’t be to ensure your teams get 100% on a quiz, but rather that they come away from training with a new “a-ha” moment or knowledge of a method they didn’t have before.
Gamified training unearths unexpected skills
Technical acumen on cybersecurity teams is table stakes – gamified training helps uncover and develop the soft skills needed to successfully thwart or remediate a threat, such as empathy, delegation, and time management.
In team-based CTFs, for example, the strongest players tend to share specific traits. Team captains who can empathetically assess their team’s strengths succeed by establishing planning, communicating, and aligning team strategy to individuals’ strengths. Just like the best cybersecurity leaders, the outstanding CTF players recognize that it’s not about having “rock star unicorns,” but instead finding the right individuals to tackle the right problems based on where they excel.
The second most important lesson I learned early in my CTF career was about time management. Sometimes, you make the trade-off of knocking out the easy challenges first to “get ahead” – but that may result in running out of time for harder challenges. Just like in the professional world, games show we have limited resources and time to accomplish tasks, and we must weigh value against the cost of time and what skills or tools are available. Learning how to strategically choose which challenges to solve and in what order – especially when solving all of them is impossible – directly parallels how we make strategic risk or incident triage decisions in the professional world.
Conclusion
Our training and development tactics must evolve to keep cybersecurity teams motivated and ready for new challenges. The synergies between games (including those unrelated to security) and working in cybersecurity are common, and with a significant IT skills shortage that will only get worse, according to IDC research, ensuring teams are staffed for cybersecurity is critical.
Those with experience in the planning and coordination required for leading or participating in table-top role-playing games or competitive e-sports may represent a curious, motivated, problem-solving pool of possible talent valuable to the industry.
Brushing up on “how to think” through gamified training and team activities is a core piece of this puzzle, all while reducing the burnout that often comes with drier workshops or training presentations. As employers and team leaders look to address the talent shortage and skills gap in cybersecurity, significant opportunities to improve team collaboration and skills lie in games.