Chief information security officers (CISOs) of Global 2000 enterprises have one of the toughest jobs in the world, defending their organization’s cyberspace and being the guardian of its assets and private information. But CISOs also have a second, even bigger problem: Their own company employees.
There are always gaping holes in individual organization’s cyber-defenses, including but not limited to: Unpatched systems, reused passwords and misconfigurations. CISOs want to shore up their organization’s defenses, but unfortunately, the rest of the company might not be very helpful: They either do the wrong thing, or nothing at all to help improve the company’s cybersecurity posture.
Human causes of cyber-breaches like misclicks, misconfiguration or the failure to fix a known and critical vulnerability are very common, and improving cybersecurity awareness to the point when business owners can be effective cyber-risk owners is very hard. CISOs struggle to explain to their colleagues that there is no way that they and their small security teams can secure everything alone. In fact, CISOs require the help of every employee.
Fortunately, an effective strategy to increase employees’ ownership of cyber-risk management can be found in an unlikely place: Ad-hoc gamification.
Gamification of a company’s cybersecurity practice involves leveraging employees’ natural desires for learning, mastery, competing, achievement, status, recognition and rewards towards reducing an organization’s overall breach risk. According to findings from the American Psychological Association, competition increases physiological and psychological activation, which prepares employees’ minds for increased effort and enables higher performance. In this case, higher performance means being better able to detect and thwart security threats.
Gamification is most effective when the “gamemaster” of the initiative applies a comprehensive approach.
The first step is to identify risk-owners. This can be partially done via an organizational chart, but that should be shored up by observing and analyzing a company’s network traffic and endpoint activity. This allows risk to be traced back to individual users’ actual behavior. What services do they connect to? What privileges do they have?
Analyzing the configuration management database (CMDB) and legacy inventory systems can fill out the picture and identify assets for which there appears to be no risk owner.
From there, the gamemaster can define groups and assign them to specific team leaders.
Next, enable notifications and digests that allow the gamemaster to communicate with all employees by using rich context. For example, when the next WannaCry emerges, the gamemaster will be able to automatically notify each relevant risk-owner about the situation to let them know if there is a high-value remediation task that must be completed.
Allow the gamemaster to assign tasks with context to each risk-owner that includes different options for mitigating risk. People tend to perform at their best when provided with some degree of autonomy in how the task may be achieved, and are more engaged when they know they have room to learn as well as show creativity and initiative.
Gamification takes the fun part about games and effectively applies it to situations that are generally seen as not fun or as having no day-to-day value (a.k.a. “busywork”). The heart of effective implementation of gamification revolves around points and incentives; risk-owners that complete cybersecurity tasks correctly and in a timely fashion will be awarded points.
If using a gamification platform, it can be programmed to track and validate the completion of tasks by risk owners as well as tally their points and other accolades. Consider integrating with ticketing systems like ServiceNow and Jira to provide task assignments and context.
Public recognition in the form of physical badges that are achieved also goes a long way in driving a deeper sense of risk ownership and management to individual risk owners.
Scores can be published on a leaderboard to inspire further competition. Companies can even consider monthly, quarterly or even annual recognition of top performers with a prize. What employee would not want to participate in cybersecurity posture transformation if there was a chance of winning an all-expenses paid trip to Hawaii?
Furthermore, implementing gamification with an AI-powered or automated cybersecurity platform allows corporate security teams to assess employees that may need more training, identify weaknesses such as reused passwords or risk hotspots, and identify security controls that are ineffective or hard to use.
By taking the best parts of game mechanics and applying it to something that may be seen as dull by a company’s employees, gamification can improve an organization’s cybersecurity with an all-hands approach. In our experience, we have seen a dramatic improvement in cybersecurity posture due to gamification, e.g., mean-time-to-patch for critical CVEs dropping from 30 days to four hours.
Gaurav Banga is CEO and founder of Balbix.
Please check out all of the latest posts in our Infosec Insider Community.