Concerted efforts to increase job satisfaction, automation in the security operations centre (SOC) and gamification in the workplace are key to beating cyber criminals, a survey by security firm McAfee shows.
This is because in addition to the increased number and complexity of cyber threats, IT security teams are facing challenges in terms of technology investment and finding people with the necessary cyber security skills, according to the survey report entitled Winning the game.
The McAfee-commissioned study polled 300 senior security managers and 650 security professionals in public sector and private sector organisations with 500 or more employees in the UK, US, Germany, France, Singapore, Australia and Japan.
The survey shows that 46% of respondents believe that in the next year they will either struggle to deal with the increase of cyber threats or that it will be impossible to defend against them.
The competition between security responders and cyber criminals is further complicated by the cyber security skills crisis, with 24% of respondents saying they need to increase their IT staff by a quarter to manage the threats their organisations are currently facing. But 84% admit it is difficult to attract talent, while 31% say they do not actively do anything to attract new talent.
“With cyber security breaches being the norm for organisations, we have to create a workplace that empowers cyber security responders to do their best work,” said Grant Bourzikas, chief information security officer at McAfee.
“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” he said.
The growing threat landscape and recruitment and retention challenges facing the cyber security workforce mean that automation needs to be a key element in the game against cyber attackers, the report said.
By pairing human intelligence with automated tasks and putting human-machine teaming into practice, the report said automated programs handle basic security protocols while practitioners have their time freed up to proactively address unknown threats.
Most respondents (81%) believe their organisation’s cyber security would be stronger if it implemented greater automation, a quarter said that automation frees up time to focus on innovation and value-added work, while nearly a third (32 percent) of those not investing in automation say it is due to lack of in-house skills
Gamification, the concept of applying elements of game-playing to non-game activities, is growing in importance as a tool to help drive a higher performing cyber security organisation, the survey found.
Within organisations that hold gamification exercises, hackathons, capture-the-flag, red team-blue team or bug bounty programs are the most common, and almost all (96%) of those that use gamification in the workplace report seeing benefits.
Respondents who report they are extremely satisfied with their jobs are most likely to work for an organisation that runs games or competitions multiple times per year, the report said.
More than half (57%) of respondents report that using games increases awareness and IT staff knowledge of how breaches can occur, 43% said gamification enforces a teamwork culture needed for quick and effective cyber security, and 77% of senior managers agree that their organisation would be safer if they used more gamification.
The next generation of cyber threat hunters
To address the shortage in skilled cyber security workers, the report suggest that gamers, those engaged and immersed in online competitions, may be the logical next step to plugging the gap.
Nearly all (92%) of respondents believe that gaming affords players experience and skills critical to cyber security threat hunting: logic, perseverance, an understanding of how to approach adversaries and a fresh outlook compared to traditional cyber security hires.
Three-quarters of senior managers said they would consider hiring a gamer even if that person had no specific cyber security training or experience.
Some 78% said the current generation entering the workforce – who grew up playing video games – are stronger candidates for cyber security roles than traditional hires, while 72% said hiring experienced video gamers into the IT department is a good way to plug the cyber security skills gap.