Security remains a primary concerns for organizations across the globe as there were reportedly an average of 3.4 data breaches per day and a global cybersecurity workforce shortage of 2.93 million individuals in 2018 alone. Even though Gartner predicts global information security spending to exceed $124 billion in 2019, businesses like Bethesda, Facebook and First American Corporation continue to suffer data breaches due to accidental exposures, phishing and misconfigurations.
To reduce the amount of security incidents caused by human errors, corporate security teams need employees to fix risk items for the systems they own in a timely fashion. It can be challenging for organizations to motivate employees to participate in any internal cybersecurity skills training. However, several companies have turned to gamification to help to change the workplace culture.
Digital Journal: How common are cybersecurity breaches for businesses?
Gaurav Banga: There were a total of 100 data breaches in the U.S. in June 2019 alone exposing at least 24 million consumer records according to recent research from the Identity Theft Resource Center (ITRC). That is a lot of organizations waking up each day finding that they have been breached.
DJ: Why do breaches happen so frequently?
Banga: The enterprise attack surface is massive and growing rapidly. Consider a typical enterprise that has thousands of IT assets (devices, apps, and users). There are hundreds of ways in which each asset can be compromised. To understand enterprise breach risk, we must take into account information about asset inventory, vulnerabilities, active threats, exposure, ease of propagation, compensating controls, and business criticality. For a medium sized enterprise, there are over a hundred million time-varying parameters that must be analyzed to accurately determine breach risk. For larger organizations this number is several hundred billion or more.
Legacy cybersecurity tools and processes are simply not able to scale with the size and complexity of the enterprise attack surface. Thus, most organizations lack visibility into their cybersecurity posture and have a poor understanding of their breach risk. Due to this lack of visibility, the right decisions do not get made, and the correct actions do not get prioritized, leaving enterprises wide open to attack and compromise.
DJ: Which types of technologies should businesses be considering to prevent breaches?
Banga: Imagine if you could use automation and machine learning techniques to discover and understand all enterprise assets and all risk related attributes about asset, including their business impact. This is exactly what is needed for better cybersecurity visibility. With deep learning and other specialized AI algorithms, enterprises can continuously and automatically analyze their attack surface and gain relevant insights that predict where and how breaches are most likely to happen. This information can help businesses prioritize the necessary actions that need to be taken in order to remediate cyber risk.
A second important technique/technology is gamification. It is quite hard for most organizations to motivate its rank-and-file employees to help with cybersecurity mitigation tasks or to participate in any sort of internal cybersecurity skills training. Unfortunately, the CISO’s security team cannot fix all issues by themselves, especially as they typically own none of the enterprise assets. Several companies have turned to gamification to organize their employees into an army of quasi-cybersecurity warriors.
DJ: How important is incentivization to the process?
Banga: Gamification allows organizations to incentivize proper security behavior and spurs participation through competition. Gamification also allows companies to measure the effectiveness of their security training and identify employees that may require additional training.
DJ: How important is the competition element to a gamification approach?
Banga: Gamification of enterprise cybersecurity involves leveraging people’s natural desire for learning, mastery, competing, achievement, status, recognition and rewards towards reducing your organization’s overall breach risk. The notion of “competition” is a key ingredient of gamification. A sense of competition increases physiological and psychological activation in the brain which prepares the mind for increased effort enabling higher performance.
DJ: How does technology help?
Banga: Technology that helps with the automatic identification of risk owners, and the use of notifications, digests, tasks with context, points and incentives, leaderboards and badges can enable dramatic transformation of cybersecurity posture. Gamification enables the right context, tools, and incentives empower everyone to do their part in reducing cyber-risk.