Russell Coleman, EMEA Sales Manager at HackerOne, explains how hacker-powered security can be an effective way for your organisation to make the most of its resources.
The CISO, although a technically and intellectually complex role, their mandate is quite simple: to keep their organisation’s data secure and to minimise system downtime as a result of security issues. This means doing everything they can to keep bad actors from gaining access to critical assets and disrupting business processes. The intangible nature of software vulnerabilities makes them a major access point that cybercriminals take advantage of. Any CISO must enable development teams to fix these in order to fulfil this mandate but often, the same people responsible for driving remediation timelines must spend time finding those weak spots as well, creating a bottleneck at either the ‘find’ or ‘fix’ stage of the process.
Outside of the digital world, when something needs to be found and time is of the essence, we form search parties and it should be this way for vulnerabilities as well. If the police receive a call about a missing person, it would be highly irresponsible for them to send one officer in to look. They’d send a team, along with volunteers from local towns, to find the person as quickly as possible.
In a similar vein, it is possible to search for security flaws with internal resources if you have the skills but many brains are better than few. An external penetration tester can offer a different perspective and perhaps catch issues your internal team has missed, but even they have their limits: time, human capacity for focus and competing priorities. Only an unlimited budget would allow for traditional penetration testing to deliver continuous coverage aligned with modern development cycles.
There is a third option, however, that allows for this ‘search party’ approach to finding vulnerabilities and closely aligns costs with value delivered – a rarity in security budget sheets. This approach also comes with the benefit of a collective imagination that is virtually limitless and powered by cutting edge techniques. This solution is designed to channel the power of the ethical hacking community toward security and business objectives specific to a specific organisation.
A consistent and healthy bug bounty programme acts as a safety net, finding vulnerabilities missed by SDLC automation and point-in-time penetration testing. With a reliable layer of vulnerability discovery that’s always-on and driven by results, CISOs can focus their highly valuable internal resources on the things that really matter, such as holistic changes to vulnerability management processes, secure coding enablement or deep root cause analysis to address systemic issues. Lifting your prized security personnel out of vulnerability whack-a-mole cycles enables them to be better partners to the business and reduces burnout.
Further, our own research found that 82% of UK CISOs have had projects stifled due to security concerns. The knowledge that your vulnerability safety net is healthy and performing at or above the level of industry peers, maximises security and development teams’ confidence that projects can be delivered both low-risk AND on-time.
Hacker-powered security is unique as a solution because this army of ethical hackers tests systems with a similar external perspective to threat actors – only you get to define the rules and build an incentive structure to align findings with business impact. Security talent you enlist to hack for good increases the size and skillset of the team working to make sure that when bad actors do land on your organisation’s system, there are no easy routes in for them to exploit – a key to the Defence in Depth principle.
Hacker-powered security can be an effective way for your organisation to make the most of its resources and align manual security testing with agile development processes. Consider utilising hacking for good to not only reduce process and people overhead when finding vulnerabilities, but also to ensure your organisation won’t need to spend time and money on activities it never wants to experience – recovering from a data breach.