Ten years ago, in recession-hit Ireland, John Clarke was trying to make ends meet for his young family as a laborer and driver. But the money from working on building sites and driving a van just wasn’t enough — and John felt he was too old and unskilled to find something else. His wife encouraged him to go back to school, but that wasn’t simple either.

John had never finished high school, and he wasn’t sure moving to a single income was the right choice for the couple to make in the midst of a recession.

Still, he persisted. He returned to high school, wowed his teachers and was encouraged to study further. He then went to university, skipped years and worked as an intern at IBM. “I swear I was one of the oldest interns in history!” John said. When he discovered cybersecurity, John knew his academic and career development efforts had all been worthwhile.

An affable, hard-working and lively Dublin lad, John is now neck-deep in efforts to gamify incident response (IR) and security awareness training through IBM’s Cyber Ranges. He works as a cybersecurity and gamification strategist at the IBM X-Force Command Center, where he builds and develops scenarios to help train people in IR. His goal is to use gamification to engage with people outside of the classroom — and away from boring presentations and false learning environments.

Incident Response Training Is All Fun and Games

Gamification of security trades on the idea that sometimes you have to be dropped into the deep end to really learn. John and his colleagues dream up weird and wonderful games based around security ideology to educate participants about IR. They design the game, code it, build the infrastructure and set players loose.

“We build some wacky stuff,” John said. “Once, we built a mind-controlled Hungry Hungry Hippos game, all based around security.”

John’s team is behind IBM’s capture the flag (CTF) events, which gathers teams and pits them against each other to see who can solve a security breach first. The competitors are divided into two groups: The first group is tasked with attacking and compromising a system. The second group must try to protect that system from the other group. Then, they switch. Both teams get a shot at being the attackers and the defenders. This allows the groups to work creatively and share knowledge about what they learned during the simulation.

John must be one step ahead of both teams during the build stage — so he tries to guess what they’ll do and how they’ll react to ensure that the scenario is robust and bulletproof.

“These simulations offer a way to find out what people are really made of in the heat of the moment,” John said.

The Human Side of Cybersecurity

John comes to work every day and builds scenarios in which all hell breaks loose to teach people about the importance of IR and what to do when a breach inevitably occurs.

“I love what I do,” he said. “For a long time, security was an afterthought — get the tech up and running, get it so the customer loves it, then we’ll put the security in. I’ve seen a massive shift from my early days. The rate of defects that teams find now is really low, and security architects are right there at the beginning, which limits the amount of bugs the security teams find.”

John said he sees his role (and that of his fellow IR professionals) as crucial in the ongoing effort to drive cybersecurity awareness among students.

“Some colleges don’t even teach security until the final year,” John said. “It needs to start early on — and that’s why, as professionals, we go in and teach.”

For his part, John takes tools into junior schools, runs cybersecurity boot camps in the summer and makes sure the people he works with understand security before they get out into the real world.

“The problem is there’s a human aspect to it,” John said. “The human is making mistakes, opening doors for hackers. If you set up a server and leave it in default configuration, they now have access to your system. We need much more awareness much earlier.”

Giving Back to the IT Community

Cybersecurity is not just a day job for John — it’s his passion. He’s community-minded, people-centric and future-focused. He’s also passionate about giving something back and regularly speaks in schools about application security and online safety.

Why is this so important to him? “Because people invested in me at a time when I needed it,” John said.

One of those people was his mentor, Jason Flood, the chief technical officer (CTO) of security gamification and modelling at IBM, who got him involved with the Honeynet Project while John was on IBM’s Ethical Hacking Team (EHT). The Honeynet Project is a not-for-profit security research organization dedicated to investigating the latest attacks and developing open source security tools to improve internet security.

“That’s where my passion for building gamified scenarios comes from,” John said. “It was just a bunch of us lads hanging around, eating pizza and coding and chilling at 3 a.m. Most people go to clubs — we sat around, had beer and built challenges.”

“The good thing is it’s my day job now — this gamification stuff. IBM backs what we’re doing, they have a belief and see the value in terms of future hires,” John said. “When we ran an event in Boston, there were four or five people we would’ve hired instantly. As a tool to get people in a room and put them through their paces to see their technical ability, get a gauge for personality and how they respond, these gamified events are amazing. You get a feel a bit more for people as opposed to sitting in a suit in a chair at an interview and hoping you don’t mess up.”

Luckily for the next generation of cybersecurity professionals looking to get their shot at a new career track, John gave up driving a van to serve as a mentor and invent wacky cybersecurity games for the rest of us to learn from and enjoy.

Meet Cloud Security Architect Andi Hudson

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today