Gamification: Making cybersecurity training fun for everyone

[00:00:00] CM: Today on Cyber Work, I speak to Jessica Gulick of Katzcy about the gamification of security and security awareness training, the Women's Society of Cyberjutsu and the ways in which cyber games could be the next esports. That's all today on Cyber Work.

Also, let's talk about our new hands-on training series titled Cyber Work Applied. Tune in as expert infosec instructors and industry practitioners teach you a new cybersecurity skill then show you how that skill applies to real world scenarios. You'll learn how to carry out different cyber attacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more. Best of all, it's free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It's a new way to learn crucial cyber security skills and keep the skills you have relevant. that's infosecinstitute.com/ learn.

And now, on with the show.

[00:00:58] CM: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cyber security industry. Jessica Gulick is CEO of Katzcy, a woman-owned growth firm specializing in cybersecurity marketing and cyber games. She's also president of the board at the Women's Society of Cyberjutsu, a 501(c)(3) dedicated to advancing women in cyber careers. Jessica is a 20-year veteran in the cybersecurity industry and a CISSP.

So with the recent announcement that infosec has partnered with Chooseco to create a choose your own adventures branded security awareness training program, very exciting, we're aiming to speak with some guests about the concept of gamification in security and security awareness training. With Jessica's involvement in the Wicked6 Cyber Games tournament in Las Vegas and the Cyber Carnival of Games for Cyber Security Awareness Month, Jessica certainly knows how to move beyond the superficial trappings of what we think of as gamification into creating programs that engage in the way that only brain stretching games can. So let's get into it. Jessica, welcome to Cyber Work.

[00:02:08] JG: Thank you. I’m very honored to be here.

[00:02:11] CM: I appreciate that. So we always like to start with a bit of an origin story question. So how did you first get involved or interested in cybersecurity? What was the initial attraction and what was the first thing you did once you learned about it?

[00:02:25] JG: So my story in cybersecurity really started a few days after 9/11, believe it or not.

[00:02:29] CM: Okay.

[00:02:31] JG: We had just moved to D.C. My husband had a job up here. And I was able to get a job for a contracting firm supporting the State Department. So if you imagine, I had just gotten my bachelor's, fresh out of school, first real job if you will in security and was working for what was IRM at the State Department doing database work. Creating a vulnerability database and then training people that were going out to the consulates and the embassies on how to do IT contingency planning. So that's kind of where my start was.

I would say what I love most is that I was supporting a mission. At the time I had one kid. I had another kid on the way, and it was just great to know that the time away from family was worth it because I was helping protect others.

[00:03:26] CM: Right. Okay. So I mean, moving from there, it seems like you went through a series of sort of threat intelligence and related positions before working for ISC-squared and others. Can you talk about from beyond that to your business journey? Like what were some of the milestones that you remember that brought you to where you are now? Whether it's projects you completed or skills you learned or positions held or what have you.

[00:03:49] JG: Yeah. So I would say from State Department, which really I was a dedicated contractor on site if you will. I moved to another contracting firm, SAIC, and that allowed me to support multiple different federal clients and commercial bank clients that were integrated with the federal clients. So what we call trusted agents. My work turned to be more around certification. I was still doing a lot of performance metrics and assessments in security, but it was a great opportunity there because I was able to contribute to a number of the NIST special publications, right? The standards around security and the lifecycle, et cetera. And I got to work with a fabulous team of folks. I was project manager, program manager if you will, over about 34 security professionals at the time. A mixture of penetration testing, forensics, policy, et cetera. And that was just a really great time to give me a full experience across different clients and what was going on in the market.

My world changed though. Somebody else's world took a negative turn if you will, and I was asked to step in and take over marketing for cybersecurity at SAIC. There was a huge step. I hadn't done it. All I had was my MBA at that point in terms of experience and doing some sales for my own work. And what we ended up doing was taking a very thought leadership role to our marketing and being known for something called MDC-3 at the time, which was the Maryland Cyber Challenge and Competition.

There's a group of folks that I took part with that we really tried to drive home cyber competition, cyber education, et cetera, right in one regional space, right? The same time we were supporting something called Cyber Patriot, which is a well-known high school cyber competition. We are part of the initial team to start that. And my role there was really on marketing and oversight of some of the event activities, et cetera. So there was a larger team at play. So that was really critical to my career because it put me from doing hands-on certification and accreditation or managing a team, doing forensics and penetration testing, into the marketing world and into the world from a technical standpoint, right? We were doing cyber games and we took it to the U.K., and Utah, and Colorado and got to really experiment with high school, college and professional games.

From there, I kind of took another turn in my career. I accepted a position as a global CMO, a chief marketing officer for a startup. We had a new product that we were taking that first started in telecommunications and we were taking it to other industries. And I was able to take a leadership role in starting a new market segment that we all now call SOAR, security, orchestration, automation and reporting. We were one of the first ones during Automate or Die, in RSA, if we were there.

[00:06:53] CM: Okay. Yeah.

[00:06:54] CM: Yeah. So it was a great experience, a great team. But again, another turn, and then I found myself running my own business, Katzcy, which was fun.

[00:07:05] CM: Yeah, can we talk – Oh yeah.

[00:07:08] JG: Yeah, absolutely.

[00:07:10] CM: Can we talk about your day-to-day job as CEO of Katzcy? Like what type of tasks do you do every day? All of our listeners tend to think like, “Ooh, I would like to be a CEO someday. I'd like to start my own company.” Like what is the actual nuts and bolts of what you do with Katzcy and what is what is Katzcy about?

[00:07:28] JG: So Katzcy is a growth company, number one. We help grow startups and small businesses in cybersecurity and IT, but we also help grow professionals through cyber games and events. And it's different being an entrepreneur. It changed my life. It changed the way I look at things. When all the responsibility is on your shoulder, it can be life changing. But I love it. I do.

So the hours aren't your typical hours. They're not nine to five. It's kind of constant. In terms of everyday tasks, it could be anything from payroll, to sales, to getting in and actually doing strategy work for clients on how do you position this product or this service. All the way to how are we going to run games and what do the players want and how do we set up this tournament and which partners do we want to bring involved? What I love is that it changes every day.

And the cool part is being your own CEO if you will, having your own company, you get to decide who you work with. And I love working with passionate people about cybersecurity. And so that's probably the best part.

[00:08:41] CM: Nice. What types of work problems keep you up at 3 a.m. or wake you up in the middle of the night at 3 a.m.? Like what are like the stressors or the things that –

[00:08:53] JG: So, it's different, right? Because I remember the days working in cybersecurity, what was waking me up was there's a pen test going on at night out in California. What are they going to break? What's going to happen? And I was constantly on-call for things like that whenever it had to be escalated. But now, it's really about trying to work out problems in your head, right? Because you're in meetings all day long. So really the only time your brain shuts down can really think through things is at night.

So let's see. Last night I was thinking through – We had this big launch for the company called playcyber.com and we're trying to figure out how we're going to come up with some amazing games throughout the year. And it's funny, one of the challenges I think the market has and what I’m kind of grappling right now in terms of workforce is there's a lot of discussion around pipeline, Chris, and everybody knows it's important to try to push more people into cybersecurity jobs. But one of the things not being as explored as much I would say is the fact that there's burnout, right? In our community, our workforce, cybersecurity, there's a huge amount of burnout, and what we have is these brilliant cybersecurity people that go through college. They get their careers and they're excited and they're passionate about cybersecurity, right? And then they get locked into a position either at a SOC or working for a company. And all of a sudden boredom of mundane tasks and, “Am I really helping anybody? Am I just clocking hours?” That really kind of sets in.

And so the question becomes how do we spark those individuals? Give them an ignition? Give them some kind of re-spark into cybersecurity. And I know that there's an answer with cyber games, but you don't know how to get it so that corporations really can really appreciate the value of cyber games. So that's something I’m constantly thinking through. And last night I was up at 3 a.m. really kind of thinking through specifically what can I do to help contribute to that problem or contribute to the problem. Help solve that problem.

[00:10:56] CM: Help solve the problem, yeah. So to that end, when I was thinking – As soon as you said burnout, my first thought was the opposite. Apparently I was wrong. But thinking in terms of people burning out, you hear the stories about information and cybersecurity moves so quickly that within six months half of what you know is obsolete and you're having to constantly learn new things. But there's there's a give and take between that, as you say, and you're just doing the same repetitive tasks every day. You're reading the log files. You're doing this. You're doing basic pen tests or whatever. Are those two things in tandem or would people actually prefer having to learn sort of all these new sort of updates, security and technology?

[00:11:43] JG: Well, I think they feel like they have to learn, but they don't have a way to learn. Does that make sense?

[00:11:45] CM: Okay. Yeah.

[00:11:47] JG: I mean if you look at certifications right now on the market, you're really dropping 5, 10, 15k. If you're lucky, your company is paying for it, right? But even if they're paying for it, it's going to take you weeks, months to study. And sometimes you need that and that's important. But sometimes you just need to like learn from others and have quick tactics and such. So I think that's where we can really start talking about unravelling it.

It's funny, one of the statistics that – As you know, I’m very much dedicated and passionate about women in cybersecurity.

[00:12:22] CM: Yes.

[00:12:24] JG: Do you recall one of the statistics that we looked at where it was like for four years where you remained at around 10% of the population in cybersecurity being women. And a lot of people say we got to get that number up, et cetera. But again, the interesting fact about that is why do we go stagnant? And the reason why is because more women were leaving the field than we're entering it. So we had all these pipeline things, pushing women into cyber. And you get to that mid-level and you're burnt out for a number of different reasons. And so women were leaving the field. And that was a major issue. I think we're starting to turn the curve on that and with a lot of different programs that Cyberjutsu is part of as well as other organizations.

[00:13:11] CM: Cool. Yeah, I want to get back in and deep dive into Cyberjutsu and some of that stuff in a bit. I want to turn us back towards gamification and security, like learning games and so forth. So I think we all know gamification is one of those terms like AI and machine learning that can signify something really exciting or can just as easily be a meaningless buzzword uttered to appear at top of trends. So it's something that if applied well can make ideas stick in practical ways. So can you tell me about your relationship to gamification as a way of making security ideas stick? What are your guiding principles in using gamified study and training?

[00:13:50] JG: I think one of the important principles to realize is that cyber security is not just a buzzword, right? As you might recall 10, 15 years ago, it was IT security and cybersecurity were interchangeable, right?

[00:14:03] CM: Right. Totally.

[00:14:04] JG: I don't actually believe that. I believe cybersecurity is different. It's fundamentally different. We have good guys and we have bad guys. We have bad actors. We have defenders. And the beauty of that is that that means that cybersecurity is a trade craft, right? It's an art form and it's very much like a sport. And so one of the guiding principles that I have when it comes to gamification is cybersecurity is a sport. It requires hands-on practice. We're talking about interactive learning with others as a team or an individual. And one of the cool parts is that competition we have found builds the best through games, through interactions, whether it's planting flags, or going red team versus blue team, or solving puzzles. What you're doing is you're using competition to build the best, both the best in individuals, in tactics, in community and in teams. And it's very rare.

If you look at something like accounting or human resource or, I don't know, plumbing, right? Cybersecurity is fundamentally different because of these principles, right? We can use competition not just to better ourselves, but hey, to also score ourselves and to differentiate ourselves for jobs. And it has a really exciting piece of it. Now how is that different than gamification, right? Because gamification, like you said, is a big term. It's like saying AI. It's how you apply it.

What I would say is that when you look at gamifications for losing weight or for stop smoking or something like that, right? It's all about points and making it fun and all that great stuff. The thing about cybersecurity is it's a difference from having a junior analyst go from just applying controls and going through a manual process if you will, to an analyst being able to see a security professional being able to see an attack is occurring. Here's what the attacker is doing and what their motives are. Here's what my strategy is to defend against it. So now I have a strategist, right? You don't teach that in school, and that's part of the problem if you're trying to break into the cybersecurity market and you're coming out with a college degree in cybersecurity.

We all kind of know, it takes about five to seven years to really get acclimated in the space and you’re your stuff, because it's so much of just living the life on the job training. There's studies out there, Chris, that show that through games and competitions and tournaments in cybersecurity through doing CTFs, capture the flags, we can actually decrease that time to value for that professional to two to three years, if not less than that if they start, let's say, in high school. And the reason is because you're experiencing it, right? You're not just experiencing it, but you're also doing it with others.

So think about our kids nowadays, right? What are they doing? They're playing games but they're also watching other people play games.

[00:17:26] CM: Yes. Yeah.

[00:17:27] JG: Right? So they're learning that way. And in fact I think it was two or three years ago now, the National High School Association recognized esports as an athletic program, and that opened up scholarships, et cetera. So I would contend that cyber security, CTFs, and the future of gaming in cybersecurity is going to go towards esports because that's why not? Let's have some scholarships there. Let's teach kids how to work together as a team.

Because, interesting, going back to my days when I had security professionals reporting to me as part of a security program, one of the tactics that from an HR recruiting standpoint that we would utilize is we would recruit in groups of two or three. And the reason is because real cyber security is teamwork, right? It takes a team dynamic. It takes communication and trust. And it's very rare that you have a sole pen tester, right? Usually you have a team of three or four pen testers depending on the size of the network go out and they all bring different skills. And what they do is that best athlete approach, depending on what the tactic there is. And that allows them to take advantage of every slight modification or opportunity they have because they only get one opportunity before the system resets and they lose that opportunity to attack and find the vulnerability.

So my point is that if we can teach games, cybersecurity games to high school, college and professionals, we can help with that teamwork dynamic and really bring strategy into games, which is way more than points or emojis or fun little things.

[00:19:11] CM: Yeah. I mean can you talk a little bit about it? For people who are trying to design or choose programs that are gamified, like how do you sort of move past those trappings of badges and point systems and leaderboards and stuff and sort of come to something that – What are the guiding principles in terms of like designing or choosing or getting your employees on board with such a thing?

[00:19:36] JG: I think it has to do with – One of the things is understand how you’re – So there's really, in cyber security, the way I look at it is there's really like two kinds of games. You have security awareness, which is really about teaching security principles to non-security people, right? And then you have cybersecurity training and education, which is about cultivating security professionals with more skills and knowledge and capability.

So in terms of security awareness, you really got to think about your diversity of your player set, right? You're going to have older people that perhaps aren't really into games, right? You're going to have younger people that are more into games than they are into the knowledge piece of it. You're going to want to have a little mix of both and know who you're targeting. Some people are going to want to play alone. Some are going to want to play as a cohort. But you kind of need to understand that dynamic and make it very simple, right? Very engaging and relevant to them in terms that are very sticky. So it's applying marketing principles, which is nice.

Now on the other hand, when you own security professionals training and education, I really think that understanding who, again, your target is for the player, what you're trying to accomplish, but also working – There's a lot of wonderful people out there doing some really cool programs. Take NIST, NICE, which is really dedicated to cybersecurity workforce, right? You can look at their workforce framework. If you're a game out there or you're gamifying training in cybersecurity, if you're not mapping to them, then you're not really doing cybersecurity education. Education and training really needs to align with the workforce framework so that we can all understand what skills you're trying to teach, which is one critical piece. And then the other critical piece is having that output back to the user, the player, so they know what is it that they just learned and how does this apply to me as an individual, my resume, my ability to sell myself to a company of my ability to contribute as a better security professional. So I said that's kind of pieces of it.

I think the other thing to keep in mind is these things are hard. When you look at esports and games, whether you're playing Battle Royale or any of those out in the market, they have huge development teams. That are constantly building environments that are engaging and they're freshening it up. They're keeping it as fresh as they can on a daily basis. And it's huge and it's hard, because people are demanding right. They want instant gratification and they want it to change and they want it to be cool. I wouldn't let that stop you, but just keep that in mind when you're trying to come up with your development style and approach.

[00:22:31] CM: Yeah, okay. So to sort of move it in a different direction, obviously cybersecurity is a serious business. And many organizations take that to heart when it comes to employee training. But that might make things hard for a security or training manager to “sell” a gamified learning environment to leadership or decision makers who might see it as maybe like frivolous or something like that in the circumstance. How would you make the case for gamified learning over more traditional training experiences or a combination of the two?

[00:23:02] JG: I think it goes back to something I said earlier, and that is the experience piece of it. It goes back to that major principle that says cybersecurity is different, right? And the hands-on piece is really where we need to get to. It's not enough to sit in a classroom doing a boot camp where somebody is just teaching you, right? You've got to be able to apply it. Now that applying is difficult, right? This is why so many security professionals I know, they have a network setup in their house that they can break apart and do stuff on. And that's a typical kind of thing.

Well here's the thing. You've got work eight to ten hours a day, then you've got family and you've got other things that are work-life balance if you will. It's very difficult. Now layer on top of that – It's not like the olden days. If you start trying your hacking skills on the internet, you're going to get in trouble.

[00:24:05] CM: Yeah. Right. Right.

[00:24:05] JG: There's no safe place for you to play, right? And you can say, “Okay, there's cloud environments, et cetera. Okay, but I need a little bit more structure than that,” right? If employers really want to have the strength that they need to provide game environments and CTFs for their security professionals. Here's another little tidbit that I personally learned and I would share if any companies are out there listening and trying to say, “Is this really worth it or not?” I used to manage a team, like I said, and we had pen testers. And we're a large government contracting firm. So a lot of times what will happen is somebody on your team will get a higher paying job somewhere else, right? And this individual on the team came up to me and said, “I want to move to this other contract. It's going to put me on site with this client and I get more money,” right? And I’m like, “In the long run, you won't,” and they didn't believe me and they left. And this is why we do third-party testing as well.

What happens is when you have a security individual working with the same client day-in and day-out, all they see is that environment. They don't get to see live stuff they. Don't get to see other environments. They don't get to see um other threats or other approaches or anything. And you get almost this think tank mentality, which actually dulls your skills, your awareness, and it's very hard. Very hard to stay abreast of what's happening in our very dynamic space, which is why they like third-party pen testers, right? You can have these very sharp, brilliant pen testers or adversary emulation experts that now go from environment to environment to environment. They're seeing everything and they're doing things constantly to sharpen their skills and their awareness. That cultivates a different individual that gets higher pay, is more engaged and has more value to a company. So I would say, “Okay. So either outsource cybersecurity or provide your security professionals a way where they can sharpen their skills in a safe environment that allows them to hack.”

And that was a big thing, Chris. If you don't mind, we had a report. We did a report where we interviewed like 27 experts in the field a couple of years ago. And this was all about cybersecurity games. And we interviewed college teachers, professors. We interviewed CSOs. We interviewed recruiters, and we interviewed players. And we took a look and said, “Why are games really taking – Evolving more?” And there was a distinct problem that we had in the space. And that was when you look at high school and colleges, they want to teach IT security, right? They want to teach this is how you harden. These are just practical things.” So when they graduate, that's all they know.

The problem is when you go to the CSO and the recruit of the CSO wants, “I want somebody who's broken something. I want them to understand the dynamics of an attack. What does it look like? How does things happen?” And when I go back to the college, teach the high school teachers and the college professors, they're like, “No, we don't teach hacking,” right?

I don't know how many high schools in Maryland we talked to in the first years of MDC-3 where the teachers like, “Why are you asking our kids to learn to hack?” And it comes down to they have to understand how to break things, right? How to take things apart right in order for them to really understand how to make it stronger. So that was a major issue that we had.

And then you had the recruiters that we talked to, and the problem with the recruiters were just how do I know, if Chris and you are on the same team and you guys get first place, how do I know which one did what? Are you really just as good as Chris? Are you left? Did he pull the weight? How do I know? And how do I use the results of your game to really help say that to my hiring manager if you will? And so there was a problem there too

And so I think we're getting around that. I think people are starting to understand more of the value. I think they're starting to understand not be as afraid of hacking. But the only way to get around all of that is more games and more safe environments to allow people to do more hacking.

[00:28:43] CM: Perfect. I mean that leads right into my next question here. I wanted to – For those of us who couldn't attend and want to live vicariously through it, can you tell us about the Wicked6 Cyber Games Tournament and the Cyber Carnival Program? Like what types of games and challenges and training were people taking part in?

[00:28:58] JG: Absolutely. So you can actually go to wicked6.com or you can find it on YouTube channel if you do like Wicket6 Cyber Games, you can look at it. We did a live streaming of the event. I think it's like five hours long, but you can kind of go through it and see what's happening. So Wicked6 is put on by the Women’s Society of Cyberjutsu, right? That 501(c)(3) that I set on the board for. And Katzcy is the marketing firm that runs the event. But it’s primarily a fundraiser helping fund women and girls camp, cyber camps if you will throughout the year.

And so what we did was we tried to really touch into the fun the, sexiness of cyber competitions. We partnered with Circadence. We had lots of wonderful sponsors like Microsoft and Uber and many, many more. We had a wonderful advisory board as well. And we opened it up for qualifications. We think we had something like 21 colleges, all types, all types of colleges, community colleges, universities, master programs, et cetera. We just said, “If you're a school, if you're a full-time student, you qualify.”

And they went through a qualification, online qualification process where we had games that they had to pass and get scores on. Then we got it down to the Wicked6, right? The six top colleges. And we brought them to the HyperX Arena. So the HyperX Arena is awesome, right? It's right there in the Luxor in Las Vegas. It's got stadium seating, a beautiful stage. You've got the gamer chairs. You've got insights on what's happening on the screen. We have the back room like ESPN kind of show going on. We have shoutcasters talking about what's the play. Who are the players? What are the coaches? Et cetera. We kind of have about a four or five-hour program that really takes them through technical challenges as a team, policy challenges as a team and they continue to score against each other. And then we come up with a final. And it's kind of like college football, right? Everybody has their favorite team.

[00:31:06] CM: Cheering sections.

[00:31:08] JG: Yeah. Yeah. Women's Society is Cyberjutsu is obviously focused on women, but Wicked6 is a co-ed thing, right? We do make a requirement. You've got to have a woman who's actively playing at all times so that we can have that diversity piece to it. But it's a fabulous experience. Hats off to Circadians. They did a wonderful job. Here's how they gameified it that makes it exciting, is they started off with a video that really sets the mission, right? Understanding what's the situation you're in. And then they take them through a number of puzzles and challenges, et cetera, that follow that mission that is either you're securing a SCADA system or you're a financial system or whichever. You take them through real live attacks and they get to see what those things look like and they get to then react to them and they're scored based on that. And score goes up and down if they get hints or not, and it's times.

And what we tried to do differently in Wicked6 than let's say some of the bigger programs is that we made each game only an hour long. That really helps to keep it moving if you will, because some of these cyber competitions – I interviewed I want to say like 30, 40 players. It's amazing. They will practice and prep for three to four months meeting three or so times a week for some of these bigger CTFs. And the CTFs are two to three days long, right? They're almost like Hackerfest, right? And it's very stressful. But we wanted something different, light and fun. So it was short games. That's Wicked6. We'll be doing it again this August. So we're excited about that and we'll probably making more of announcement and getting words out probably late February on that.

So then last year, for October, here we are all in Covid and we're going to – What is it? Like 180 conferences in cybersecurity that happened in October? So we said, “Hey, why don't we put on a carnival of games?” And so what we did was we worked with various different platforms, some focused on awareness and some focus on security education. We had a mixture of both. And we came up with a schedule of games that were available for people to play at no cost and they could win things. So each week we did like various different prizes. Somebody got a Google Nest. Somebody got a $10 Domino's pizza. They were one of our sponsors. Things like that. And they got challenge coins at the end of it. So that was kind of fun, right? And it was just supposed to be fun to really kind of open up people to games, and it was a mixture.

We didn't realize, Chris, that this is a global phenomenon. We’re thinking we did it. We’d focus on the U.S., no biggie. And we only marketed to the U.S. but somehow the world found out. And I would say a good 20% of our players were global, and top 20%. Like the ones that won prizes. It was wonderful. The diversity that we saw, incredible.

I would also say that the dedication we saw people put into some of this was wonderful as well. When you look at the numbers that came out, we had about 500 players total and only 20% were high school or college. So some professionals were playing. So it was great. We tried to do all the games at night and weekends so it wouldn't interrupt work. That made it harder globally, believe it or not.

[00:34:59] CM: Yeah, yeah. I can imagine, yeah, yeah.

[00:34:59] JG: One feedback that we got is trying to do some day games too.

[00:35:03] CM: Oh, there you go.

[00:35:05] JG: So we'll be mixing it up this October, but it's exciting.

[00:35:10] CM: Now you mentioned a little bit about security awareness games within there and stuff. Do you have any tips? We've been talking a lot about sort of hacking games and sort of teaching up and comers how to break things so that they can learn to secure things. Do you have any tips or advice for developing gamified security awareness campaigns?

[00:35:33] JG: I think that they're becoming more – Well, the virtual games are kind of here because of work from home, right? There's a lot of mixture of games. There's some really wonderful programs out there with insight. They have – Everybody loved playing that game. It was amazing. It was brand-new in October. It's fun. It's very much like Pokemon. It's on your device and it's very quick. And the beauty of that game was that even if you weren't a security professional, you could play the game and have fun. But the more you understood, the more fun it was. Does that make sense?

[00:36:10] CM: Yeah, yeah.

[00:36:11] JG: And the better you were at the game. But really, the developers over there have done a wonderful job of really engaging players in a quick, fast pace. Some games last seven minutes. Some last 20. So I would definitely check them out.

Living security, I don't know if you guys have heard of them. They do escape rooms and they have some amazing programs now virtually both hosted and self. So I would check them out. They were wonderful. Living Security, I asked them to do it for my own team, my marketing team, to give us kind of exposure to it. And it was great to see the team work together, to look at the different things and understand the different policies applied. And it really does help. I think it helps make it real and relevant a lot better than just, “Hey, read this flyer.” Or, “Here's the latest security policy, sign it and you're done.”

[00:37:04] CM: Yeah, yeah. Totally.

[00:37:06] JG: And it helps them take it home. That's the beauty of security awareness is that when companies invest in security awareness games and programs, they're sticky enough that not only are they doing it for their work stuff, but they're bringing it home. So when they work from home, their work environment, their home is less prone to security issues, right? And that's really important. And they're teaching their kids. They're teaching their parents. They're teaching people that they're associated with. So I think that's a growing space we'll see a lot more in the next coming years.

[00:37:43] CM: So can we talk about gamified security challenges as a way to possibly bring in potential cybersecurity professionals who might not have thought of this as a career or vocation before? We're talking a lot about diversity and bringing more women in and more minority professionals. And is there a chance that these types of gamified programs can attract new and passionate people who might not have been previously considered for this type of work through the standard job fair, HR, school guidance counselor channels?

[00:38:13] JG: Oh, absolutely. Absolutely. It's why I have such passion for this is – Oh my gosh! You're going to make me cry. I’m not supposed to do that on podcast. So MDC-3, the very first year, was exhausted. And I sat down at this cocktail table and this guy was watching the competition and he grabbed the seat next to me and just kind of sat there and he was just wowed and he's a little teary-eyed, 47-year-old man sitting there. And I’m like, “So how's it going?” Because I’m from Texas. I'll talk to anybody. And he's like, “I’m just in shock and amazed. You don't understand.” I’m like, “Why?” And he's like, he goes, “Do you see that kid right there? That's my son. And my son six months ago, he didn't know what to do with his. I couldn't get him to do job applications. Here he is a freaking senior and he wasn't even interested in college. I didn't think he was going to go to college at all. And all he would do was play his games, right? And he was an introvert. He wasn't really into programs of like athletics or any of the after school programs. And I was really starting to worry about him and then it got worse. He said he disappeared. He stopped coming home right after school and he'd be with friends. And I was convinced he was doing drugs. That he was doing something bad. And then the other day he comes up to me and say, “Hey, dad. Can you take me to Baltimore because I’ve been practicing with this team over the last few weeks and we qualified and we're going to play this game?” And now he's talking about colleges. And he's talking about career in cybersecurity.” He said, “I had no idea.”

And it changed his life because the kids can actually see what it would be like, right? It's not this weird philosophy, “Oh, programming, boring kind of thing.” They get to be part of something that's bigger. And the cool part of that is the diversity piece, right? We use games at Cyberjutsu to really involve women. And the reason is because they are safe in some ways, culturally safe, right? You can do them from your house, all virtual. You don't have to worry. You can go in-person. And it's a game. So it's not taken as seriously, right? So you can mess up. And it's okay to ask for help. And people want to help you because the stronger the team is. So this helps tap into a lot of different diversity groups and it helps to get people hands-on exposure to what a career might look like as well as help them learn a few things and they get some confidence in it. And they're like, “Hey, maybe I could do this for a living.”

And I think that that's really important. I think it also helps – It's not as much pressure as a work environment. So you can kind of cultivate better relationships and learn how to team with different cultures, which is kind of nice. But I will say that our world has definitely changed in the last 10 years. The barrier to entry on games is so low. You can get it on your phone. You can do it from your computer. You can do it from home, from the coffee shop. Between technology and infrastructure and the way that we're simplifying cybersecurity with visuals and such, it's just really opening up and tapping new areas and new pools of diverse folks.

[00:41:49] CM: That's fantastic. So I want to move from that to we sort of put a pin in it before, but I want to talk about – Put front and center Women's Society of Cyberjutsu and your work with it. We had Mary Galloway on the show earlier as well and had a lot of fun with her as well. But you said earlier in the program that 10% of the cybersecurity industry is made up of women and part of that is just the sort of the burnout rate and people leaving. Can we sort of talk about that issue? Because I mean I’m sure some of that is, like you said, the repetition of it, but some of it has to be a culture issue as well, right? There's a certain point where – Let's just put on the table, like we might not feel that welcome in some of these sort of mono-cultured situation. So like what are some of the – I love hearing that gamification is bringing new sort of voices to the table and encouraging collaborations and stuff like that. So what are your thoughts on this sort of burnout issues and the cultural fit issues and all of that aspect of things?

[00:43:01] JG: Yeah, we've come a long way. We have come a long way with diversifying the workforce in cybersecurity, but we still have a long way to go, absolutely. It is still very much a mafia if you will. If it's not, because it's very masculine, which it totally is very masculine. But also, there's a lot of – If you look at the history of where cybersecurity jobs come from, a lot of people don't realize that for the most part, cybersecurity jobs really started around Clinger-Cohen. So that was regulation – That was what? 1996 was the CIO role? That wasn't that long ago. I mean longer for us. But for people that been in the community, wasn't that long ago.

So you definitely had – In order for it to be created, you pulled from other workforce pipelines, right? You pulled from law enforcement. You pulled from IT, and believe it or not, from information management. So librarians and such. So you had really these three groups of people come together to create a cybersecurity workforce. And because of that, there was a lot of cultural issues. And it's difficult for women in cyber security because of that, because of it being very much – The way it's grown up, people perceive that cybersecurity careers are really you have to like do your time. Do you know what I mean? You can't just jump into something. You got to do your time. You got to earn your –

[00:44:34] CM: Yeah, you’re woodshedding or paying your dues.

[00:44:38] JG: Yeah, paying your dues, and that you have to have a certain number of certs and you got to have years of experience and you got to be able to talk to the lingo and drop the names.

[00:44:47] CM: Had this mentor or whatever.

[00:44:48] JG: And all that stopped. And it can be very overwhelming if you're not familiar and you can recognize that and say, “I’m just not going to play that game. I’m here. I have value,” and it takes encouragement.

Well, also what happens is that because of all the lingo if you will and the technical certs, et cetera, and the way recruiters do their job requirements, a lot of women will look at a job and say, “One, that's boring. Two, I’m not qualified. And three, they're not going to teach me. They just expect me to know all this stuff when I get there.”

[00:45:27] CM: Yeah. And they're going to try and punish me if I don't know it. Right.

[00:45:29] JG: Right. Yeah, exactly, exactly. I’m going to look bad or I can't spend that much time. It's going to take me a lot of time to catch up or get educated. And what we try to do within Cyberjutsu is break down those myths for women and say, “One, you got us. We're your tribe.” So you can call you can call on us. You can post. You can be part of Slack and get help and mentorship right there from women that have been in cybersecurity.

We also have this issue of – And this is actually much better with COVID. I mean I hate to say that, but there are some good things that have happened over the last year, right? This work from home aspect right has been good in some ways. The education and distance learning stuff, not so good for women. In fact this is actually hurting women quite a bit right now, and it's one of those issues that definitely keeps me up at night. But it has allowed people to recognize the fact that you can work from home and you can break away from the eight to five, right? You can do you know work from seven, six a.m. in the morning until ten. Deal with the kids and other stuff and then come back at one and work and then deal from three to five family and then seven pick it back up. So people are getting more flexible. And as that happens, that's going to help with diversity as well.

So there's that piece of it that we're dealing with. I think that the imposter thing is really prevalent. It's also one of the things I have a blog on is about not seeking perfection. Women are groomed from a very young age, unlike men, right? We are groomed to seek perfection, right? Make sure your eyes are on point, your head's up, your posture is good, you do the right thing. There's perfection that women seek or girls seek, and some of the best dads in the world, they find themselves at fault because they're teaching their girls perfection. What are they teaching the boys? They're teaching the boys perseverance. You get pushed down, get back up. You fail, get back up. Try again and try again.

And so what we need to do is we need to kind of change that and teach our girls. You can continue to teach them perfection. There's nothing wrong with that, but also teach them get back up, because half the job is just persevering. And then cybersecurity or entrepreneurship, it's all about persevering because you're not going to get it 100% and you're never going to be perfect, right? It's not about being perfect. It's about figuring it out as you go. And that's what we try to help with women. I think as more women start to recognize that, they're going to realize the beauty. And there is a lot of value in being a cybersecurity professional. And some of the research that Gartner has done about women shows that. Yes, they're burnt out and they're leaving because of being berated, because of being told to shut up at work, because of creating more of a masculine environment that says you got to go to the bar afterwards in order to hobnob to get to the next career when they need to go home and cook dinner. There is that.

But when you look at would I want a job in IT or cybersecurity? More women say they want jobs in cybersecurity. And it comes back to that mission thing. Women have a heart. They want to know they're making a difference. They're not just making a buck, right? If I’m going to choose to spend my time here versus at home, I want to know my time is valued, right? And cybersecurity tells them that. It feeds them that, “Hey, you are defending and you can make a difference.” And the cool part is women are really good at it, because they can see a lot of – They're not very linear. They can multi-process and see a lot of situational awareness because they're used to doing that. They're used to somebody saying, Get this deadline done. “Oh, mommy. Can I?” And they've got to redirect, pivot, come back kind of thing. So we try to create a very nurturing and encouraging environment to help women advance in cybercareers because it really will help the workforce and our community at large.

[00:49:46] CM: Yeah. I mean this hour has just blown by and it's been just a blast and I can talk for hours with you about this, but I want to sort of start us toward our descent here. So as we wrap up today, what are some of the events – You talked a little bit about what is Wicked6 or Cyber Carnival going to be looking like for 2021? What kind of projects do you have in the pipeline and where can people sort of track what's going to happen next?

[00:50:13] JG: I would track the Womenscyberjutsu.org. We're going to have some announcements coming out. We have Cyberjutsu Con, which is coming in June. That is a virtual conference for women and men, but really kind of the messaging is towards women, but it's open for both. And the cool part is we try to make it as hands-on as possible. So some of the sessions, it's not your typical panel one-hour. We have those, but we have two and a half hour work sessions too where we actually have some code and we're playing with Python, et cetera. So that can be fun.

In the next few weeks we're going to be making some announcements through Cyberjutsu and through Katzcy about what's going to be happening around RSA this year. It's a virtual. For your audience, if you've never been to RSA, you got to go this year because it's virtual. It’s May 17th through the 20th. We're going to be having some programs and some cyber tournaments around that time frame and some cyber job career fairs kind of things too. So I would keep an eye out for that.

Again, some of the plans we can't quite announce, but they're coming in the next few weeks. So definitely look at womenscyberjutsu.org. Playcyber.com is a great site, I think. It's by Katzcy. So I’m kind of biased. But that's we're going to be announcing some of the games as well. We're going to be doing a tournament in partnership with the U.S. Cyber Range. They're about May time frame. So that's going to be fun. That's also where you can find out about Wicked6. That will be happening in August, which means qualifying rounds really have to happen in May-June time frame. So we got to get the word out there soon.

And then we have quite a few more games. I think it's like four or five games that we've got planned this year. Big tournaments as well as small little things that are fun to do. Oh! Cyber Carnival, October. I’m sorry. I’ve forgotten about that one.

[00:52:11] CM: Oh, yeah, yeah, yeah. Okay. Jessica, well, thank you again for all of your time and insights today. This has been a blast.

[00:52:17] JG: Thanks. Take care.

[00:52:19] CM: And thank you all for listening and watching. New episodes of the Cyber Work podcast are available every Monday at 1 p.m. central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. And don't forget to check out our hands-on training series called Cyber Work Applied. Tune in as expert infosight instructors teach you a new cyber security skill and show you how that skill applies to real world scenarios. Go to infosecinstitute.com/learn to stay up to date on all things Cyber Work.

Thank you once again to Jessica Gulick and Katzcy, and thank you all for watching and listening. We will speak to you next week.