Ten years ago, in recession-hit Ireland, John Clarke was trying to make ends meet for his young family as a laborer and driver. But the money from working on building sites and driving a van just wasn’t enough — and John felt he was too old and unskilled to find something else. His wife encouraged him to go back to school, but that wasn’t simple either.

John had never finished high school, and he wasn’t sure moving to a single income was the right choice for the couple to make in the midst of a recession.

Still, he persisted. He returned to high school, wowed his teachers and was encouraged to study further. He then went to university, skipped years and worked as an intern at IBM. “I swear I was one of the oldest interns in history!” John said. When he discovered cybersecurity, John knew his academic and career development efforts had all been worthwhile.

An affable, hard-working and lively Dublin lad, John is now neck-deep in efforts to gamify incident response (IR) and security awareness training through IBM’s Cyber Ranges. He works as a cybersecurity and gamification strategist at the IBM X-Force Command Center, where he builds and develops scenarios to help train people in IR. His goal is to use gamification to engage with people outside of the classroom — and away from boring presentations and false learning environments.

Incident Response Training Is All Fun and Games

Gamification of security trades on the idea that sometimes you have to be dropped into the deep end to really learn. John and his colleagues dream up weird and wonderful games based around security ideology to educate participants about IR. They design the game, code it, build the infrastructure and set players loose.

“We build some wacky stuff,” John said. “Once, we built a mind-controlled Hungry Hungry Hippos game, all based around security.”

John’s team is behind IBM’s capture the flag (CTF) events, which gathers teams and pits them against each other to see who can solve a security breach first. The competitors are divided into two groups: The first group is tasked with attacking and compromising a system. The second group must try to protect that system from the other group. Then, they switch. Both teams get a shot at being the attackers and the defenders. This allows the groups to work creatively and share knowledge about what they learned during the simulation.

John must be one step ahead of both teams during the build stage — so he tries to guess what they’ll do and how they’ll react to ensure that the scenario is robust and bulletproof.

“These simulations offer a way to find out what people are really made of in the heat of the moment,” John said.

The Human Side of Cybersecurity

John comes to work every day and builds scenarios in which all hell breaks loose to teach people about the importance of IR and what to do when a breach inevitably occurs.

“I love what I do,” he said. “For a long time, security was an afterthought — get the tech up and running, get it so the customer loves it, then we’ll put the security in. I’ve seen a massive shift from my early days. The rate of defects that teams find now is really low, and security architects are right there at the beginning, which limits the amount of bugs the security teams find.”

John said he sees his role (and that of his fellow IR professionals) as crucial in the ongoing effort to drive cybersecurity awareness among students.

“Some colleges don’t even teach security until the final year,” John said. “It needs to start early on — and that’s why, as professionals, we go in and teach.”

For his part, John takes tools into junior schools, runs cybersecurity boot camps in the summer and makes sure the people he works with understand security before they get out into the real world.

“The problem is there’s a human aspect to it,” John said. “The human is making mistakes, opening doors for hackers. If you set up a server and leave it in default configuration, they now have access to your system. We need much more awareness much earlier.”

Giving Back to the IT Community

Cybersecurity is not just a day job for John — it’s his passion. He’s community-minded, people-centric and future-focused. He’s also passionate about giving something back and regularly speaks in schools about application security and online safety.

Why is this so important to him? “Because people invested in me at a time when I needed it,” John said.

One of those people was his mentor, Jason Flood, the chief technical officer (CTO) of security gamification and modelling at IBM, who got him involved with the Honeynet Project while John was on IBM’s Ethical Hacking Team (EHT). The Honeynet Project is a not-for-profit security research organization dedicated to investigating the latest attacks and developing open source security tools to improve internet security.

“That’s where my passion for building gamified scenarios comes from,” John said. “It was just a bunch of us lads hanging around, eating pizza and coding and chilling at 3 a.m. Most people go to clubs — we sat around, had beer and built challenges.”

“The good thing is it’s my day job now — this gamification stuff. IBM backs what we’re doing, they have a belief and see the value in terms of future hires,” John said. “When we ran an event in Boston, there were four or five people we would’ve hired instantly. As a tool to get people in a room and put them through their paces to see their technical ability, get a gauge for personality and how they respond, these gamified events are amazing. You get a feel a bit more for people as opposed to sitting in a suit in a chair at an interview and hoping you don’t mess up.”

Luckily for the next generation of cybersecurity professionals looking to get their shot at a new career track, John gave up driving a van to serve as a mentor and invent wacky cybersecurity games for the rest of us to learn from and enjoy.

Meet Cloud Security Architect Andi Hudson

More from Incident Response

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success…

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today