Among the topics they explored included the success of their long-running bug bounty programs in discovering security vulnerabilities, how to explain program value to C-suite executives, and why outside hacker efforts complement internal security initiatives.
Sri Shivananda started by mentioning the dedicated professionals doing everything possible to create secure products and services at their companies. On the other hand, you have people with malicious intent looking to exploit even the smallest of vulnerabilities.
“Any logical individual will say we probably need something in the middle,” said Shivananda. “That’s where collaboration with the community of hunters and hackers creates value for organizations like ours.”
Shivananda and Phil Venables, who leads risk, security, compliance, and privacy teams for Google Cloud, joined HackerOne for a wide-ranging discussion about the challenges businesses face today combating cyberthreats. They are two of the world’s foremost authorities when it comes to cyber vigilance. In their session, “Mapping Your Hacker-Powered Security Journey,” they kept returning to one theme.
Building a strong security strategy is a team commitment. And that explains the power of adding a hacker-led layer of defense to complement your organization’s internal security efforts.
“I’ve long held the belief that no matter how good your security program is, there’s always the chance that vulnerabilities will occur,” Venables said. “Companies should want people with good intentions to find and report those issues faster than malicious actors can discover them. The key to success is marshaling a community of good guys to help find these issues.”
Why Organizations Should Consider Cybersecurity in All Business Decisions
Cybersecurity should be, and in many cases is, top-of-mind for every organization. A PwC 2021 Global Digital Trust Insights Survey found that 50% of executives say security and privacy will be part of every business decision or plan. Meanwhile, the number of headline-generating cyberattacks and ransomware incidents is growing. One FBI report determined that cybercrime, as a whole, resulted in losses of more than $4.1 billion in the U.S. alone in 2020.
Despite companies’ best and most well-intentioned efforts, vulnerabilities are inevitable, Venables and Shivananda stressed. Enter the hacker community, which can play an essential role in managing cyber risk. Shivananda described hackers as the internet’s immune system, citing analyst Karen Elazari’s well-known Ted Talk on the subject.
How PayPal’s Bug Bounty Program Improves Security, Eliminates Risk, and Builds Trust
PayPal works with more than 400 million consumers and merchants worldwide. Nothing is more critical than security and trust, Shivananada said. That’s why PayPal has been running a successful bug bounty program for years where outside researchers scour the company’s broad digital surface area—where bad guys also probe for gaps. He said PayPal’s bug bounty is extraordinarily adept at identifying issues that can be quickly resolved before they become significant problems.
“In the beginning, we were surprised at the kinds of things that hackers found,” Shivananda added. “Today, we continue to be surprised. They identify things that are tougher and tougher to find. Our engagements with researchers have yielded reflections that allow us to share our security strategy with programming development. The hacker community is helping us become a better security company through their contributions.”
That is the “golden ticket” of working with hackers, added Amanda Berger, HackerOne’s Head of Customer Success, who served as the moderator.
How HackerOne Helps Organizations Map Their Security Journeys
Venables, the former CISO at Goldman Sachs before joining Google, said he looks at hacker programs as an exercise of strength in numbers. Many people work together, but not just as a defense for one company. Instead, it’s for everyone’s benefit when learnings are shared throughout the community. He believes in the model so strongly that he recently joined HackerOne’s Board of Directors. Venables said that companies such as HackerOne excel at designing vulnerability rewards programs that meet legal and compliance requirements.
He acknowledged that there is resistance to initiatives using outside hackers. But typically, as these kinds of projects demonstrate their value, attitudes will quickly change. That’s both among decision-making executives and front-line developers, he added.
“My experience is that companies start off with a program like this with some degree of nervousness,” Venables said. “But then the development teams generally are excited when they’re told about an issue, and they get to fix and learn from it. After that, the trust increases, and the hesitancy dissipates because it’s an opportunity to improve. I think it works really well, and having a company like HackerOne that specializes in this is useful for many organizations.”
The reality, Venables and Shivananda agreed, is that security is a continuous journey because of constant technology changes and the nature of threats. But as important, it’s a journey that no business takes alone. As organizations become more enmeshed in our increasingly connected world, vulnerabilities at other companies quickly become your vulnerabilities, particularly when it comes to supply chains. Organizations are exposed individually and as a result of their relationships with third parties. For cybercriminals, the software supply chain attack vector means significant opportunity.
How the HackerOne Hacker Community Complements Security Efforts
The hacker community, the world’s largest and most diverse, can play a crucial role in complementing security efforts that protect everyone, they said.
“You can use all of the modern philosophies, methodologies, architectures, and so on,” Shivananda added. “But cybersecurity is a planet-scale problem. It’s best to bring every brain that can contribute together to collaborate and help address it for the long term. Journeys are never done, and that’s especially true when it comes to security.”
Watch the complete discussion and the rest of Security@ On-Demand here.