Think you can raid a dungeon for phat lewt with a bunch of Rogues? Think again. Without a skilled, experienced and diverse team, success in World of Warcraft is all but impossible. That extrapolates to infosec as well.
Many of my infosec colleagues and friends have played various MMOs (massively multiplayer online games) at one point or another. It’s a little geeky, but very complex and challenging. Initial success requires earning experience points through hours of practice, and understanding the role your chosen character plays in the environment.
Later on, it’s all about your skillz and ability to be a team player. Personally, I like it because you‘re judged by your own merits. Your real name, nationality, gender, and actual location are masked, replaced by avatar you have chosen, be it Warrior, Priest or Mage.
Looking for Members: Your Infosec Guild Needs a Full Complement of Classes
Infosec seems to predominately attract stealthy heroes, hackers and engineers with Rogue personalities. How many of them honestly want to manage a project to schedule and cost, or interface with executives, or customers?
Infosec needs a full cast of characters to protect the realm, attracting all the needed classes to fill the required jobs. But here’s the rub: All signs point to the coming dearth of qualified technical professionals to fill computing jobs.
By 2018, US Department of Labor statistics predict the United States will have 1.4 million open technology jobs. At the current rate of students graduating with degrees in computer science, only 61% of those opening will be filled. And you thought you were overworked now.
Plenty of data also indicates we have an ever-increasing challenge to attract diversity to infosec. Lots of smart people are focusing on making STEM studies appealing to women and minorities, writing articles that discuss how diversity increases the bottom line, and how “there exists a strong connection between innovation and diversity and inclusion; [the] challenge is to help leaders and fellow professionals understand that connection.”
But there’s something missing from this conversation. Here’s the connection I think my fellow WoWheads can get behind.
Just as people working in infosec have specialties, so do Warcraft players. infosec has application security, governance or IPS specialists, just as WoW players can play Paladin, Hunter, or Shaman. In the beginning, building experience requires completing quests, which are tasks or missions not unlike the building of skills required of an entry level infosec professional.
While a character can be played on its own, fully-leveled players often group with others to tackle more challenging content. Most end-game challenges are designed in a way that they can only be overcome while in a well-balanced group of determined, skilled players.
The same goes for infosec—no one can do it all—be as technically deep and wide as is necessary to defeat the myriad assaults from foreign governments, malicious attackers, or unethical competitors—alone. Plus we all like different things, enjoy different challenges within infosec, and all bring individualized perspectives to the problem set.
Balancing Roles in WoW and Infosec
In most MMOs, the common responsibilities include the tank, the healer and the damage dealer. For example, in WoW a popular group is comprised of a Warrior to keep the attention (aggro) of the Boss, a Priest to keep the group members alive, a Hunter and Warlock to deal damage, and a hybrid class like a Shaman to switch around as needed. One of these also assumes responsibility for managing and leading the group.
A well-rounded infosec organization benefits from a similar diversity and skills balance. Infosec needs engineers, architects, analysts, and managers, among others. With rare exception, managers are not the lead hackers, just like Warriors aren’t the best choice for healers.
Bring the Skillz
It is in the self-interest of the infosec teams to grow the next generation to meet the demand to defend. Everyone has struggled as a noob at some point. Later, we have laughed at the online beginners who were obviously trying and learning.
As long as they were not repeating mistakes, and not acting like know-it-alls, we would (occasionally) share our tricks of the trade. Sponsorship in its best form. The seniors teach the mids, the mids teach the noobs, and the team gains. In WoW, how many of us have known the Guild of Jerks, where no one helped anyone. No one stayed to play with them for long.
We know a skilled, diverse and well-rounded team works for online gaming. It seems a natural extrapolation to infosec teams. Josh Corman, former director of Security Intelligence at Akamai Technologies, said it best: “…to change infosec industry, you must look at all parties’ self-interests.”
Those of us on the front line, who can appreciate a solid WoW team, can build the next gen infosec team with some basic tenets:
Seasoned Infosec Veterans:
- Go beyond your comfort zone to consider how a diverse candidate can augment the team.
- Mentor someone whom you see with potential.
- Attend events that showcase technical candidates in underrepresented groups.
Leveled Candidates with Infosec Potential:
- Honestly represent your current skill level and be willing to learn and grow laterally or vertically to enrich the team.
- This is a complex field. Education is key, and learning a career-long responsibility.
- Read about the next challenge on the horizon; develop a strategy to defend and share it.
Those with a burning interest in Infosec:
- Analyze the companies (guilds?) you want to be a part of. See what they need.
- Be tenacious and build you skills to match the need.
- Attend local Meet Ups to learn from others on the same journey.
Infosec candidates, really all of us, want to be known for our talents outright, not filtered by gender, race or nationality. By finding and cultivating the best and the brightest, even if they haven’t (yet) played World of Warcraft, your Infosec team, your company, and maybe even your Guild will have the advantage, now and in 2018.
About the Author: Marsha Wilson has a B.A. in English from CalState Northridge, and an MBA from Embry Riddle Aeronautical University. Her crazy long string of certifications beyond OSCP can be found at linkedin.com/in/marshajwilson/, or follow @decisivemarsha. Her career has focused on the chasm between IS and Business, regardless of business sector. She is a contract consultant, mom and wife, and an avid Stone IPA and jogging enthusiast.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- A Woman’s Journey to Cyber Security
- Empowering Women in Information Security
- Empowering More Women in Infosec
- Security is a Process, Not a Destination: Have You Given It Your All?
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock