Security, specifically application security, has become a huge challenge for IT companies worldwide. Actually, most companies in any vertical nowadays have some sort of IT platform they maintain. An increasing number of exploits, causing widespread financial and technical damage, are being reported on an almost daily basis. Yet the biggest vulnerability you have is sitting right under your nose (or next to you). Sixty-six percent of respondents to a recent study from the Ponemon Institute cited employees as the biggest security threat to their company.
As a leader, the best place to start looking for employee vulnerabilities is within your own team. If you look around, you might realize that some of the key IT players and developers are uneducated and sometimes even unaware of security in their code. There’s a big gap between app developers’ coding abilities and their security literacy.
(Related: Outdated technology the backbone of security in too many places)
Now, you’ve tried (often in vain) to educate your peers, developers and other employees about threats and security. Despite all the PowerPoints, handouts and lectures, you still don’t feel like you’ve made an impact. Don’t worry—you haven’t lost yet! I’m here to tell you that in order to win the game against malicious threat actors, you have to play the game—or rather your team does.
The app gap
I’ve been seeing a rise in hackers successfully exploiting vulnerabilities in application codes. These often exist from the early stage of the software’s development and remain undetected until it’s too late.
When we look at the development process, we can see that many times developers work as part of a team. Yet, when it comes to fixing security bugs, developers tend to find themselves alone in the process. In fact, according to SANS, only 22% of software developers have an active role in testing application security. In order to fix this broken process, it’s important to bring developers together, educated and united toward a common goal. This is where gamification comes in.
Gaming guide
Gamification is a trending topic among enterprises and startups alike. But what exactly does it mean? Wikipedia has a good description: “Gamification is the use of game thinking and game mechanics in non-game contexts to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning.”
Although gamifying processes started gaining momentum in 2010, security had already deeply embraced the gamification trend by then. Just consider OWASP’s Capture the Flag or how it raised security awareness through bug bounties, game rewards and incentives.
Why was gamification so popular in the security community? It takes teamwork to another level, which is exactly what you need to solve the AppSec gap.
System specs
Gamification can be implemented as an exchange platform between developers or integrated into the developers’ environments. In such a setup, each developer would be able to view the security solutions of others. Developers could then flag particular solutions, similar to a Facebook “like,” and even contribute to the general understanding of the nature of the particular vulnerability.
Taking it further, it’s even possible to reward the user who has been most beneficial to the team. For example, presenting rewards to developers who find hidden problems, ways to break the code, or an impenetrable functions. You can even call it your own in-house bug-bounty program.
A global social network is ideal for implementing such a security exchange platform. However, even simple forums, such as GitHub or StackExchange, can be used as they too reward developers for their contribution.
In-context training
Not to sound too repetitive, but seriously, traditional education rarely achieves the expected results. A classroom stuffed with developers studying secure coding best practices is great, but how much do you really expect they will remember? Moreover, what about the new developer who was hired the week after the course ended and what about the time that was wasted for the JavaScript developer during the C# course?
However, I don’t expect you to think that every single one of these issues can be solved with gamification. To address immediate concerns, delivering short and concise (five to 10 minutes) training sessions based on the specific need when it appears is considerably more effective than the traditional classroom. If these sessions are dedicated to the specific hurdle or need of the developer and don’t interfere with the regular flow of work, but rather act as an extension to enhance the developer’s delivery, you’ll see immediate results.
Do you want engaged employees? Deviate from the norm and provide a dynamic experience that encourages employees to actively participate and look forward to new business processes. As an IT leader, you have the opportunity to create excitement and genuine interest in new gamified experiences. If you become actively involved in the process, others will follow your lead. I think you’ll be surprised to see just how much enthusiasm other managers and developers will show for a gamified program.
So what are you waiting for? Cybersecurity is a serious thing, but now you can make sure you’re keeping your company safe and having a little bit of fun along the way!