As the need for cyber security talent continues to grow around the world, the US government has taken an innovative approach to developing the federal cyber workforce, releasing an Executive Order on America’s Cyber Security Workforce.
At present, over half of all organisations report a ‘problematic shortage’ of cyber talent (see: skills gap), while data breaches in the US, the world’s most targeted nation, typically cost $7.91m. It’s huge business, which is why $15b was put aside for cyber security in the President’s Budget for 2019. And with the release of the Executive Order, the US isn’t letting up.
First and foremost, the order is aimed at improving the US Federal Government’s cyber security workforce – and every federal agency must address it. The skills gap is also on the agenda, and the order highlights the government’s plans to reduce it, which include attracting cyber experts from private industry and assessing whether workers in other professions have the aptitude to reskill.
Among the proposed solutions for improving the current workforce – and arguably the most interesting – is an annual cyber security competition. The 'President’s Cup’ will pit federal civilians and military personnel against each other in a bid to reveal America’s best cyber talent. Specifically, the competition will ‘identify, challenge, and reward the US Government’s best cyber security practitioners and teams across offensive and defensive cyber security disciplines.’ It will also test skills ‘related to the NICE Framework’, which exists to ensure there is a common lexicon for discussing cyber security.
It is not yet clear what the competition will look like in action, but there will be individual and team events covering various security fields, including software reverse engineering, secure programming and cyber defence. Most cyber security competitions rely on capture-the-flag (CTF) exercises, so it’s almost certain that these will be featured (probably powered by technology akin to Immersive Labs). There will also be cash prizes of $25,000-plus up for grabs, which means uptake should be high.
Most importantly, the President’s Cup will rely on gamification to boost engagement, which is a proven method. Despite its name, gamification is not strictly about games; it is the act of taking something in existence – an app, for example – and increasing engagement using game mechanics, such as reward and competition. Typical gamified cyber security exercises include capture-the-flags and hackathons, which double up as great team-building activities owing to their social nature. A recent study by McAfee found 96% of organisations that hold gamified cyber security events report tangible benefits. They can even help in the search for hidden talent, with many self-taught or uncertified participants using such exercises to prove their worth.
The White House is certainly on the right track. To transform a workforce – be it five IT pros or the Federal Government – you must first engage it. And when it comes to cyber security, there’s no better way to engage people than gamification, which is something we’ve seen first-hand at Immersive Labs. Our platform employs game mechanics including experience points, rewards and leaderboards to encourage healthy competition and get users hooked on learning. Coupled with real-life scenarios and the latest threat intel, this sharpens cyber skills unlike anything else.
However, increasing engagement this way is not a new concept. In 2012, US pharmacy Omnicare introduced gamification to its IT service desk and achieved a 100% participation rate. That same year, American software corporation Autodesk used it to raise its trial usage by 40%. In 2019, TalentLMS’s Gamification at Work survey found 85% of employees would spend more time on software that was gamified, while 87% agreed gamification made them more productive. Clearly, it works.
Gamification is an effective way to engage, nurture and reward cyber talent, which is now a priority globally, as evidenced by the Executive Order. With so many experts needed to ensure we can keep pace with attackers, similar government-backed competitions are likely to spring up around the globe.