Using cyber sports to boost security preparedness
From September until January, Monday evenings find living rooms across America filled with armchair quarterbacks. During pre-game shows and post-game analyses, experts and amateurs alike discuss the retreat and progress of their favorite teams. Even fantasy leagues abound to test players’ strategic and tactical prowess on the gridiron.
But football teams can’t win without training, without adequate preparation and the proper equipment. Anticipating and simulating opponents’ attack scenarios between games help teams prepare from week to week for each new rival. Every team brings different strengths and weakness to the playing field, and successful ball clubs understand how to exploit each as they pass, run, and tackle their way to the Super Bowl.
Not even a high school team would face its Friday night lights without knowledge of the opposing team’s most likely maneuvers, so why should Monday morning’s cybersecurity professionals be expected to do so? It’s no secret that cyber attacks have grown in frequency and sophistication, or that traditional security tools are woefully inadequate to combat them; maybe it’s time to bring a little gridiron gamesmanship to the cyber playing field to better arm ourselves against opponents that swap and shift in milliseconds to escape detection. By training, equipping, and preparing our cyber athletes for competition, we can better prepare them for cyber attack.
On the playing field as in the security operations center, skills matter. But trust, communication, and teamwork matter more. Cyber sports teach security professionals to think critically and creatively about offence and defense, about the measures and counter-measures associated with every move. They can teach analysts how to play to their strengths, underscore the importance of decisiveness, and build useful knowledge from losses. Cyber sports also provide security professionals with the necessary pressure of competitiveness, urgency, and time that equip them to perform successfully when under attack. After all, one talented individual cannot singlehandedly defend a complex global network. Even Danny Ocean had his infamous team of 11, the Pittsburg Steelers, as the winningest team in the NFL, are, well, a team, and Iron Man relied on fellow superheroes the Incredible Hulk, Thor, and Captain America to outsmart the wily Loki.
Much in the way a good team of criminals will surveil, plan, practice, test, and refine -- with a plan B and C at the ready -- a good penetration-test team will scout the target environment to understand the landscape, logistics, culture, and trends; they’ll determine who’s in what areas of the target location and at what times. They will plan their approach as a team to pinpoint probable vulnerabilities and execute by “switching chairs,” by remaining alert and flexible to make sure the tester in the chair is the tester in the best position to advance the attack -- to move the ball forward as it were and (ultimately) to score.
Cyber sports build important skills in areas such as discipline, confidence, coordination, goal-setting, perseverance, responsibility, sportsmanship, and stress management. This type of training provides the preparedness necessary to counter adverse security events by enabling increased communications throughout the organization, effective coordination among various groups inside and outside the security ecosystem, streamlined decision-making, and faster response times.
And let’s not forget: Games are fun. Cyber sports can bring excitement back to security operations and mundane tasks like compliance and patching while cultivating well-rounded, well-tested cybersecurity leaders. Cyber competitions enable security and IT administrators to incorporate learnings from real-world attack scenarios into their everyday jobs so that they no longer have to begin, or continue, their careers without ever experiencing a cyber attack, without first-hand knowledge of the pre-defined and on-the-fly measures required in unique and changeable attack scenarios. Games train security professionals to know what to look for and to recognize it when they see it, both of which are critical to effective cyber defense.
Finally, cyber sports have strong precedent and prestige for the winners. Popular competitions include U.S. Cyber Patriot, the Maryland Cyber Challenge, SANS NetWars, the U.K. Cyber Challenge, the Global Cyber Competition, DC3, NCCDC, and a host of university-based competitions at notable institutions like U.S. service academies, New York University, the University of Maryland, the University of Washington, and Johns Hopkins University. Accolades include everything from basic bragging rights to money, scholarships, trophies, and more.
But you can’t win if you don’t prepare. CISOs can build rapid-response-readiness throughout their teams by participating in local cybersecurity competitions or by creating their own internal games to keep security professionals operationally engaged. And with cyber games based on childhood favorites like king of the hill, capture the flag, blue versus red, and scavenger hunts, why not engage?
Jessica Gulick is chief strategist at CSG Invotas.