How can you get all risk owners in the organization to help with the cybersecurity mission?
The first line of defense in any cybersecurity program are the individual risk owners. Being closest to the situation (and if provided with the right context and goals), they can be very effective in remediating risk. Your co-workers also scale with the size of your enterprise — think of them as your army. Yet, how can you harness this latent resource?
Gamification of your cybersecurity practice involves leveraging people’s natural desires for learning, mastery, competing, achievement, status, recognition, and rewards towards reducing your organization’s overall breach risk. Visionary CISOs have found it very effective to use ad-hoc gamification in pushing down ownership of cyber-risk management to individual risk owners. Balbix provides platform capabilities that enable CISOs to operationalize cybersecurity gamification.
Use gamification techniques to improve your security posture and decrease breach risk
Identification of Risk Owners
Before leveraging gamification for cybersecurity posture improvement, it is important to map risk to owners. Balbix discovers asset owners by observing and analyzing your network traffic and endpoint behavior with specialized AI algorithms. The platform can also incorporate information (even if outdated or incomplete) from your CMDB and legacy inventory systems.
You can use natural language search to define groups and assign them to specific owners. Groups and owners can be organized in multiple hierarchies to reflect the organizational structure of your enterprise. With Balbix’s search capabilities, you can look for gaps in ownership and use this to further refine your setup.
Notifications and Digests
As a gamemaster, you will need the ability to communicate with your game players (risk owners) using rich context. For example, when a new threat such as wannacry emerges, you will want to automatically notify each risk owner about the situation and let them know if they have a new remediation task that they need to complete.
Balbix’s flexible notifications framework enables you to set up and manage this type of systematic distribution of tasks. You can customize and specify the conditions under which tasks will get created and assigned. Some tasks would be of a periodic nature, while others would be triggered by some external event.
Tasks with Context
Each required mitigating action becomes a task with a value that reflects priority. When assigning tasks, you will want to provide risk owners with maximal context including information about different options for mitigating the risk. Humans generally perform best when provided with some degree of autonomy in how the task may be achieved and are more engaged when they know they have room to learn and show creativity and initiative.
Humans also learn a lot from failure, so you will want to tolerate a little bit of this without compromising the overall integrity of your security program. The Balbix platform provides maximal context where your risk owners will learn every day and continues to stay engaged because of this learning opportunity.
Points and Incentives
Points and incentives are at the heart of gamification. As your risk owners complete tasks in a timely fashion, they are awarded points. The accumulation of points is what drives your risk owners and also lets you measure the relative effectiveness of different risk owners. The Balbix platform can be programmed to track and verify the completion of tasks by risk owners, including their points and other achievements. Positive feedback to risk owners is in real-time as their points balance increases. This information can then be published as leaderboards.
You may also want to create quarterly or annual financial incentives for the “winners” of your game. These can go a long way in incentivizing engagement and ownership for your colleagues in the game.
Leaderboard and Badges
The gaming leaderboard is key to harnessing the competitive spirit of your risk owners to aggressively manage cyber-risk. Public recognition in the form of (physical) badges that are achieved also goes a long way in driving a deeper sense of risk ownership and management to individual risk owners. In an ideal world, badges also infer some privileges on the badge-holder. For example, a holder of the “Risk Busting Ninja” badge-of-honor may have the right to go to the head of the coffee line in the company cafeteria.
The Balbix notifications and digests can be programmed to implement a leaderboard and track badge achievements.
Integrations to Ticketing and Orchestration
The introduction of gamification into your cybersecurity practice does not have to be outside your existing enterprise workflows and reporting frameworks. In fact, both of these systems operate together.
Balbix integrates with ticketing systems like ServiceNow and Jira so that you may use tickets to carry task assignments and context. All of your traditional tracking and reporting systems that work on top of your ticketing system will continue to work as you gamify.