Last Updated: 6th November, 2020
Risk is a worthy goal of product development. Organizations are continually trying to strike a balance between releasing new user experiences and ensuring that they do not deliver a buggy, vulnerable products with devastating security vulnerabilities.
It’s impregnable to say that this balancing act forces leaders to choose between the risk of security incidents and risk of market stagnation, but what can businesses do to break out of this tradeoff trap? Effective modern CISOs have embraced working with a global community of third-party security researchers to expand capacity, fill skill gaps and align continuous testing with continuous delivery.
Simply ignoring technology risk makes you and your customers vulnerable. However, focusing too frequently on the danger stows you months, or even years, behind your competitors with the potential for that gap to continuously grow. Neither situation is ideal. The constant that we need to change here remains the concept of risk.
The good news is you can diversify the risk vs reward dynamic within your business. In fact, once you redefine how your business sees risk, it’s possible to break free of the fear of cyber-criminals and devise a predictable model for investing in risk-reduction that accelerates speed-to-market.
Redefining risk within a business is undoubtedly a major mindset shift, and this shift needs to come from outside of the cybersecurity department. Often, CISOs and security engineers are only brought in at the terminal stages of product development to make sure there are no holes. For siloed organizations like this, internal security teams are – like risk – seen as a worthy evil.
One of the biggest shifts in risk perception a business can make is bringing in their security professionals sooner in the product development lifecycle. This behavioral shift integrates security team input earlier in the process, fulfilling a more strategic role, rather than a simple box ticking exercise at the end.
The CISO and their team, however, do demonstrate limitations. They are best positioned to drive strategic security programs to address the balance between speed and risk – but they can scarcely do so indeed. There is a finite resource issue encountering them. On top of this, they will demonstrate expertise in specific areas.
In the security space, this manifests itself as bearing specialist knowledge of certain systems, threats or attack vectors. Building a diverse team of specialists in all relevant fields to accompany the generalists with broader business context is nigh impossible even for the most desirable employers with the deepest pockets.
Enter the ethical hacking community: there are hundreds of thousands of freelance security specialists around the world that businesses can leverage to expose vulnerabilities. The sheer number of them means they can collectively work around the clock to detect holes and bugs in your software. Private programs allow teams to safely leverage community expertise at any time during the product development lifecycle, sharing as much or as little information as you feel comfortable with.
Even with programs focused on testing, production environments, feedback loops are much tighter – getting a vulnerability report in the hands of the development team within days or weeks of the bug being introduced reduces the window of risk and helps identify similar issues in active development areas of the application.
Some may believe that the use of ethical hackers (despite being a global force for good), replaces one risk with another – how can these third parties be trusted? In fact, some of the most successful ethical hackers in our community are reformed cyber-criminals. What is to cease them, allowing your valuable software and selling it to nefarious criminals on the dark web? You should absolutely be seeking these questions, though you may be surprised to learn how similar the trust factors are to the forces that allow you to trust traditionally employed resources.
To be clear, it’s most likely not a worthy idea to offer anonymous people on the web unfettered access to internal networks or pre-production software. That’s where partnering with an experienced, reputable vendor can help the security department increase speed, coverage and access to skills without compromising operational or lawful risks.
Several platforms use transparent triage systems, controlled access and reputation mechanisms to establish a mutually trusting relationship with ethical hackers and achieve regulatory requirements. Ultimately, the image of hackers is changing, and more businesses than repeatedly are inviting the community of independent researchers in to hack their systems and help manage things secured.
Pragmatic security leaders know cyber-criminals are not waiting for their invitation – criminals are already constantly trying to break in. A significant part of redefining and owning this cyber risk is revealing cross-functional partners that working with the hackers you know is the best defense against the ones you don’t.
Ultimately, with the emergence of hacker-powered security into mainstream security hygiene, the risk vs reward dynamic is evolving. To take advantage of this, business leaders need to consult their security engineers and CISOs throughout the product development lifecycle.
Employing an army of hackers to discover vulnerabilities can free up internal resources to partner with developers and reduce time to market with higher-quality code going out the door in the first place. Demystify and redefine the risk and reward dynamic with the community-driven ethical hacking approach.