"Penn Test" challenge helps infosec team think like attackers

At Penn Medicine, gamifying security training builds skills, drives employee retention.

capture the flag hackathon face off
Getty Images

From the outside, a career in cybersecurity seems pretty damn sexy — all those hoodies and green Matrix characters streaming past in the background wherever you go, popping boxen, zero-days and exploits, APTs and hackers, oh my. The reality on the inside, of course, can seem more like accounting. The sometimes boring drudgery of security operations can be a drum beat of digital paper shuffling, SIEM alerts to wade through, security audits to perform, GRC (governance, risk and compliance) to manage.

Keeping things a little spicy is key to employee acquisition and retention in a tight job market, and pushing your blue team to think more like an attacker pays dividends in an improved organizational security posture, according to Penn Medicine's Seth Fogie, director of information security, who launched and manages their biweekly "Penn Test" security challenge for in-house security staff — a project that earned Penn Medicine a CSO50 award.

Real-world capture-the-flag scenarios

For 90 minutes every other week, the 35- to 40-person security department, including security engineering, security operations and information assurance, come together for a short capture-the-flag (CTF) competition. Fogie says he chooses real-world scenarios that could (and do) happen on their networks, so that employees are immediately empowered to go forth and seek out that vulnerability on their networks.

To continue reading this article register now

What is security's role in digital transformation?