Ten years ago, in recession-hit Ireland, John Clarke was trying to make ends meet for his young family as a laborer and driver. But the money from working on building sites and driving a van just wasn’t enough — and John felt he was too old and unskilled to find something else. His wife encouraged him to go back to school, but that wasn’t simple either.

John had never finished high school, and he wasn’t sure moving to a single income was the right choice for the couple to make in the midst of a recession.

Still, he persisted. He returned to high school, wowed his teachers and was encouraged to study further. He then went to university, skipped years and worked as an intern at IBM. “I swear I was one of the oldest interns in history!” John said. When he discovered cybersecurity, John knew his academic and career development efforts had all been worthwhile.

An affable, hard-working and lively Dublin lad, John is now neck-deep in efforts to gamify incident response (IR) and security awareness training through IBM’s Cyber Ranges. He works as a cybersecurity and gamification strategist at the IBM X-Force Command Center, where he builds and develops scenarios to help train people in IR. His goal is to use gamification to engage with people outside of the classroom — and away from boring presentations and false learning environments.

Incident Response Training Is All Fun and Games

Gamification of security trades on the idea that sometimes you have to be dropped into the deep end to really learn. John and his colleagues dream up weird and wonderful games based around security ideology to educate participants about IR. They design the game, code it, build the infrastructure and set players loose.

“We build some wacky stuff,” John said. “Once, we built a mind-controlled Hungry Hungry Hippos game, all based around security.”

John’s team is behind IBM’s capture the flag (CTF) events, which gathers teams and pits them against each other to see who can solve a security breach first. The competitors are divided into two groups: The first group is tasked with attacking and compromising a system. The second group must try to protect that system from the other group. Then, they switch. Both teams get a shot at being the attackers and the defenders. This allows the groups to work creatively and share knowledge about what they learned during the simulation.

John must be one step ahead of both teams during the build stage — so he tries to guess what they’ll do and how they’ll react to ensure that the scenario is robust and bulletproof.

“These simulations offer a way to find out what people are really made of in the heat of the moment,” John said.

The Human Side of Cybersecurity

John comes to work every day and builds scenarios in which all hell breaks loose to teach people about the importance of IR and what to do when a breach inevitably occurs.

“I love what I do,” he said. “For a long time, security was an afterthought — get the tech up and running, get it so the customer loves it, then we’ll put the security in. I’ve seen a massive shift from my early days. The rate of defects that teams find now is really low, and security architects are right there at the beginning, which limits the amount of bugs the security teams find.”

John said he sees his role (and that of his fellow IR professionals) as crucial in the ongoing effort to drive cybersecurity awareness among students.

“Some colleges don’t even teach security until the final year,” John said. “It needs to start early on — and that’s why, as professionals, we go in and teach.”

For his part, John takes tools into junior schools, runs cybersecurity boot camps in the summer and makes sure the people he works with understand security before they get out into the real world.

“The problem is there’s a human aspect to it,” John said. “The human is making mistakes, opening doors for hackers. If you set up a server and leave it in default configuration, they now have access to your system. We need much more awareness much earlier.”

Giving Back to the IT Community

Cybersecurity is not just a day job for John — it’s his passion. He’s community-minded, people-centric and future-focused. He’s also passionate about giving something back and regularly speaks in schools about application security and online safety.

Why is this so important to him? “Because people invested in me at a time when I needed it,” John said.

One of those people was his mentor, Jason Flood, the chief technical officer (CTO) of security gamification and modelling at IBM, who got him involved with the Honeynet Project while John was on IBM’s Ethical Hacking Team (EHT). The Honeynet Project is a not-for-profit security research organization dedicated to investigating the latest attacks and developing open source security tools to improve internet security.

“That’s where my passion for building gamified scenarios comes from,” John said. “It was just a bunch of us lads hanging around, eating pizza and coding and chilling at 3 a.m. Most people go to clubs — we sat around, had beer and built challenges.”

“The good thing is it’s my day job now — this gamification stuff. IBM backs what we’re doing, they have a belief and see the value in terms of future hires,” John said. “When we ran an event in Boston, there were four or five people we would’ve hired instantly. As a tool to get people in a room and put them through their paces to see their technical ability, get a gauge for personality and how they respond, these gamified events are amazing. You get a feel a bit more for people as opposed to sitting in a suit in a chair at an interview and hoping you don’t mess up.”

Luckily for the next generation of cybersecurity professionals looking to get their shot at a new career track, John gave up driving a van to serve as a mentor and invent wacky cybersecurity games for the rest of us to learn from and enjoy.

Meet Cloud Security Architect Andi Hudson

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today