Technology develops at a rapid pace, but sometimes it can be hard to appreciate just how quickly things can move. This can be easily seen in the history of hard drive growth. Weighing in at a monstrous 550 pounds, IBM created the first 1 gigabyte hard drive in 1980. Less than a year ago, Sony worked with IBM to develop a magnetic storage system that can save up to 330 terabytes—330,000 times the storage capacity of that fridge-sized device in the palm of your hand. That’s also 330,000 times the amount of data being stored—data that can be obtained in a large-scale data breach. To keep pace with the escalating need to secure that data, cybersecurity has grown from a practically unheard-of industry in the 1980s into a multibillion dollar industry, ballooning in size from $3.5 billion in 2004 to over $120 billion in 2017.
The cybersecurity industry develops alongside the wider tech world to meet its ever-evolving needs. Increasingly, recruitment has become one of the biggest problems facing the industry. It’s not necessarily an issue of budgeting or technical infrastructure, though both of those can become concerns. The Black Hat conference, a yearly gathering of cybersecurity specialists, has routinely ranked the inability to bring in new talent as the number one reason digital security measures fail and an overwhelming majority of conference attendees felt as if they lacked the means to refine their abilities. In other words, cybersecurity has emerged as a technological necessity so quickly that many programmers, both inside and outside the field, feel that they lack access to the skills required to compete.
One of the most unexpected solutions to the pressing question of recruiting promising cybersecurity talent has been the turn toward video games. McAfee conducted a recent survey of 300 senior security managers and 650 security professionals from across a wide variety of major corporations. Of that pool of 950 cybersecurity experts, 92% believed that skills fostered by games, such as tenacity, logic, and predicting hostile strategies, could make the gaming community an ideal, untapped reservoir of candidates.
Why, exactly, do these professionals believe gamers make such attractive candidates for cybersecurity positions? Michael McKeirnan, a Security Consultant at Deja vu Security, offered an explanation, translating the industry’s unexpected assessment. “To me, the skills developed by gaming could be arguably summarized as practice obsessing over digital problems. I think anyone who has seen both a hacker and a gamer obsessing over something can immediately understand the relationship. That ability to completely lose yourself in the problem is a valuable skill in the industry—partially because of the work ethic that comes from that obsession, and partially because of the comprehensive knowledge that type of person usually has in their domain.”
When it comes to skills, there seemed to be some degree of overlap, a similar line of thinking that gives a certain type of gamer a mindset with many applications in cybersecurity. “I'm personally not much of a gamer,” said McKeirnan, “but in my experience there's a small, intangible reward for every goal reached, or level cleared; the same can be said of finding bugs in code. That similarity means that the mindset transfers pretty fluidly from gaming to hacking.”
When asked specifically about the McAfee survey, McKeirnan found himself split on the issue. There are compelling arguments to be made on behalf of gamers, but the mindset and skills many cite as making gamers good candidates for cybersecurity aren’t necessarily unique to gamers. “With regard to the survey question, I certainly agree that the two have many similarities and that a certain type of gamer may make an excellent computer security engineer, but I'm not sure I'd buy in to the degree of hiring a gamer with no security training or experience,” he explained. He went on to describe what Deja seeks out in their hiring process, saying, “During our interviews, one of the qualities we look for is the ‘attacker mindset.’ The goal is to find that dogged problem-solving, goal-oriented mentality that we believe makes excellent hackers. In my experience, this mentality is shared by many excellent gamers; but I think that it's certainly possible to be a gamer and not have that mindset, and to have that mindset but not be overly excited about video games. As such, I'd say the candidate's drive and interest in our field, coupled with that attacker mindset, is much more important to me.”
However, despite any reservations regarding gamers, senior managers at cybersecurity firms across the industry find themselves turning to more drastic measures to fill their short-term needs. The McAfee survey found that 75% of senior managers at cybersecurity firms reported that they would hire a gamer with no experience in the field and train them internally just to meet their projected short-term needs. The talent shortage in cybersecurity poses a large, persistent, and growing problem for both private and public interests in the long-term.
Luckily for those managers, there’s no shortage of people who play video games. The medium has become the most popular form of entertainment on the planet, grossing record-breaking profits year after year. In 2016, 1.8 billion people played video games to some extent, a number that’s only expected to go up as technological infrastructure spreads around the world and the population increases.
Having identified a large and growing field of potential talent, tech firms have been puzzling over how to break into gaming to snag some of the most qualified candidates. Offering bug bounties to anyone who can find an exploit that leaves sensitive information vulnerable stands as one of the oldest and most generalized approaches to digital security. While it certainly works to fill in unknown vulnerabilities, the process is often too vague to engage anyone outside of a niche community of hackers or enthusiasts and doesn’t cast a wide enough net to recruit talent to the company itself. Not to mention there are emerging concerns over the uncontrolled nature of such programs that can alert those outside of proper communication channels that data breaches have occurred.
Framing cybersecurity as an evolving puzzle can change public perception of the industry, gamifying it in the eyes of future professionals. Meeting that changed perspective with competitive initiatives can create a game-like atmosphere around the industry. The most popular of these competitions are Capture the Flag (CTF) events. These trials test the ability of participants across a wide range of skills relevant in the security industry. Often these competitions are sponsored by companies like Uber, Walmart, Raytheon, Snapchat, Amazon, or IBM, and are used to recruit promising talent.
The two most popular formats of CTF are called jeopardy and attack-defend. Jeopardy presents teams with several categories of challenges that require technical answers to problems facing areas such as cryptography, hacking, forensics, networking, and programming. Attack-defend challenges pit two or more teams against each other to use any means necessary to take and maintain control of an isolated network of computers. Competitive CTF events can be found throughout the industry, with notable examples like the US Cyber Challenge, the National Collegiate Cyber Defense Competition, or at larger tech meetings like Google’s Chromium Conference. Those who rise to the top of these competitions become highly sought after by the companies who watch them intently. Rather than a job interview, excelling at a major competition can prove to be a method of entering the industry for those who find it engaging.
“[The founders of Deja] were on a team that won the DEFCON CTF several times and subsequently ran that competition for a number of years afterwards,” Deja vu Security’s McKeirnan explained when asked about these competitions. “We love to talk about CTFs and CTF problems with our candidates, but we also sympathize with people who aren't overly fond of them. Some CTFs have a few ‘guess what's in my pocket’-type problems that can really rub some bright folks the wrong way.”
Thankfully, the competitive space has become more varied with time. More variations on the traditional CTF types appear frequently and McKeirnan offered that a more equitable type of challenge could be found in wargame simulations. “There are some public wargames and challenge sets that we really like, and we love to chat with candidates about how they solved these problems and what they learned by doing them.” McKeirnan’s two favorite wargames of note are The Matasano Crypto Pals published by Matasano Security and the Over the Wire problems. “These types of wargames don't generally have a leaderboard or anything, but most people in the industry are familiar with them and they're a great way for folks to show some serious initiative and play some games at the same time.” While those exercises aren’t flashy and won’t win prestige in a public setting, they will teach valuable skills in a gamified format that will leave potential employers in cybersecurity eager to hire.
While these initiatives are often aimed toward adults, some competitions are designed to educate the ever more technologically literate youth and offer scholarships to talented youngsters who excel. Programs like the Air Force Association’s CyberPatriot aim to make cybersecurity problem-solving fun for kids grades K-12. Introducing the next generation to a world of competitions is framed as a long-term investment by the public and private interests sponsoring these initiatives. They seek to secure a steady stream of talent for years to come.
The creative solutions to reach gamers have taken many forms over the last few years. Information security companies often make use of low-tech games that are meant to demonstrate skills such as codebreaking. Deja vu Security, for example, makes use of cards printed with different bite-sized challenges. McKeirnan explained that “puzzles like the cards are somewhat common in the industry, though certainly not ubiquitous. They provide excellent signals about how motivated and skilled candidates are before they even show up to an interview. Typically, if a candidate has completed or made significant progress through a challenge, they're an excellent fit.”
These pocket-sized challenges can be easily distributed, and they offer a wide range of puzzles from simple codebreaking to deciphering elliptic curve cryptography. This makes them ideal for identifying competitive candidates in the wild at job fairs, though they aren’t the only options available. “Lately we've using an in-person ‘find the bug’ challenge instead [of the cards]. For that one, we post a sample of code at the booth with some known security vulnerabilities and direct anyone who's interested to ‘find the bug.’ This one is a big hit at career fairs.” McKeirnan said. “We consistently have crowds [of people] blocking off the whole area, just staring at the code until they think they've figured it out. Even recruiters from other companies usually come over near the end of the event to try and give it a go. We really like that type of challenge because it gives us a chance to talk over the problem with our potential candidates; we can see how they're thinking, and get to know them a bit better before we've even added their resume to the pile. Better still, many folks who wouldn't have submitted their answer online will come talk to us about it because we're right there.”
This type of approach brings in new types of people with gamified challenges, though it operates on a small scale. Larger solutions loom on the horizon. If it’s difficult to train people up to dealing with the current level of complex technology, maybe it is possible to streamline complicated cybersecurity functions down to meet new talent on their own level with a game-like setting.
In an announcement issued earlier this year, McAfee’s Chief Information Security Officer Grant Bourzikas stated, “With cybersecurity breaches being the norm for organizations, we have to create a workplace that empowers cybersecurity responders to do their best work. […] Keeping our workforce engaged, educated, and satisfied at work is critical to ensuring organizations do not increase complexity in the already high-stakes game against cybercrime.” Bourzikas makes a good point about streamlining the protection process on all fronts, and that includes recruitment. ProtectWise CEO Scott Chasin builds on that idea with the assumption that attracting new talent will be easier with a less daunting interface that feels more intuitive. What better way to do that than with a gamified digital environment to make the positions more attractive?
To that end, Chasin’s company developed a tool called ProtectWise Grid, a UI overlay that creates a virtual city within which all devices connected to a given network appear. The software represents each device as a building that varies in size and shape depending on the kind of device, connection, and amount of data being used. Chasin believes his software holds at least part of the key to solving the cybersecurity shortage facing the industry by using a game-like model to lower the skill level necessary to enter the industry.
The goal of the technology is to meet incoming talent in a manner they intuitively understand, skipping a lot of the technical know-how that traditional candidates require currently. "Level one analysts today require very advanced skillsets. In a UI like this, we can remove that," Chasin said. Given the ubiquity of gaming in the tech world, this could be a great help in bringing in entry level candidates. Of course, those who move up to leadership positions in cybersecurity will really have to know their stuff, but as Chasin notes, “You don't have to be a pilot to fly a drone.”
By 2019, some organizations like Symantec, ISACA, and Cybersecurity Ventures predict a global shortage of over two million digital security specialists. However, the numerous gamified solutions to the ongoing cybersecurity shortage offer hope to those struggling on the frontlines against cybercriminals. An increasing emphasis on gamification techniques, both the tried-and-true methods of companies like Deja vu Security and the seemingly sci-fi solutions on the horizon, might just help us thwart the next big data theft or cyberattack.
This piece has been cross-posted on the Deja vu Security blog.
Don't forget to sign up for Extra Life to help sick and injured kids in hospitals around the US and Canada by playing games!