Russell Coleman, Coordinated Disclosure Advisor at HackerOne, offers a deeper insight into ethical hacking and discusses the benefits such as its ability to offer organisations an additional layer of protection.
People love new technology and in the connected digital world we live in today, this tends to mean immersive tech experiences, new devices and more flexible and creative ways to live and work. This drive and desire for new and shiny technology to play with means businesses need to innovate quickly to stay ahead and satisfy demand. The pace of innovation is outstripping the ability to keep digital assets secure, causing conflicting priorities and scaling challenges for CISOs, whose primary job is to anticipate and mitigate breaches and security issues.
Some try to slow down the innovation cycles to make sure data remains secure. In fact, a recent survey showed that 82% of CISOs say that software projects are stifled because of the fear of cyberthreats. Finding the right balance between driving innovation and keeping data safe is clearly one way to maintain control, but as society continues to demand faster, newer and better digital experiences, what other tricks can CISOs have up their sleeves?
If businesses are focused on balancing innovation with security, it can start to hold back development teams. Traditional cyber security strategies are often static or programmable solutions, implemented and designed for the here and now. The challenge with this is that security teams can start off with the best intentions in the world, but updates and testing needs to be done. The longer this is delayed, the more vulnerable an organisation is and the gap between innovation capabilities and security capabilities continues to widen. These solutions can also quickly become outdated once new development takes place. The key to combating this and keeping pace with innovation is to ensure cybersecurity is constantly evolving.
This doesn’t mean that traditional cybersecurity solutions are obsolete, but combining this with a scalable and continuous strategy such as ethical hacking will give businesses the edge they need to support innovation. Hacker-powered security means systems are constantly going to be tested and any vulnerabilities discovered are reported immediately, reducing time from discovery to resolution. In addition, by leveraging the pay-for-results model of hacking for good, organisations can start to align tester incentives with business impact to improve signal:noise ratios of testing output.
So, with ethical hacking reducing risks of criminally exploited vulnerabilities and driving innovation, what is holding back businesses from embracing this strategy? Our recent showed that although 83% of CISOs believe software vulnerabilities are a significant threat, over 50% would be willing to accept this risk rather than invite unknown hackers in to find them. We need to move beyond the stereotypical image of a hooded ‘criminal’ hacker and acknowledge that this skillset has a huge potential to bring good.
Introducing hackers to IT systems and embracing this as part of a cybersecurity strategy can seem like a big leap – it requires a different mindset and a more innovative and forward-thinking strategy to adopt a more modern trust model. But it’s important to remember cybercriminals aren’t waiting for an invitation, they are already constantly trying to break in. By embracing the ethical hacking community, security teams can leverage this skillset for good to find and patch vulnerabilities before threat actors do.
Businesses need to be brave and break away from the traditional ways of thinking. Many security teams often want to play it safe and stick to what they know. After all, no security expert wants to take a risk and see it backfire. However, the unknown around ethical hacking is perpetuating the myth that it is risky, and this is not the case. Cybercriminals are not waiting for any invitation to break into your system; they are already constantly trying to find new vulnerabilities. Ethical hacking is a platform that can support all organisations of any size and by inviting ethical hackers, you can find and fix vulnerabilities before the bad guys.
In addition, the constant data breaches hitting the headlines show us that these more traditional and mainstream tactics are not working. Cybersecurity is constantly a topical issue, breaches are still making the news and we are even starting to see government action and law come into play. This should act as a wakeup call that we need to readdress cybersecurity and that traditional testing delivery models aren’t effective in today’s innovation environment. Ethical hacking gives organisations an additional layer of protection, and constant monitoring should form a strategic part of any good cybersecurity hygiene. Hackers often think outside the box – they look for new endpoints and target different areas of the business, constantly looking for a way in. By leveraging this knowledge, IT teams can start to build up a thorough cybersecurity strategy that identifies and fixes weaknesses using modern development frameworks.
CISOs can embrace business innovation and support teams with a continuous cybersecurity strategy. The fear of the unknown should not hold back development. People aren’t going to start wanting less new stuff, so we need to develop new ways to meet demand while making sure that what we create is secure against digital exploitation.
Click below to share this article