Risk is a necessary evil of product development. Businesses are constantly looking to strike a balance between releasing new experiences for customers and making sure they are not releasing buggy, insecure products with major security vulnerabilities.
It’s safe to say that this balancing act forces leaders to choose between risk of security incidents and risk of market stagnation, but what can businesses do to break out of this tradeoff trap? Effective modern CISOs have embraced working with a global community of third-party security researchers to expand capacity, fill skill gaps and align continuous testing with continuous delivery.
Simply ignoring technology risk makes you and your customers vulnerable. However, focusing too much on the danger puts you months, or even years, behind your competitors with the potential for that gap to continuously grow. Neither situation is ideal. The constant that we need to change here is the concept of risk.
The good news is you can change the risk vs reward dynamic within your business. In fact, once you redefine how your business sees risk, it’s possible to break free of the fear of cyber-criminals and create a predictable model for investing in risk-reduction that accelerates speed-to-market.
Redefining risk within a business is undoubtedly a major mindset shift, and this shift needs to come from outside of the cybersecurity department. Often, CISOs and security engineers are only brought in at the final stages of product development to make sure there are no holes. For siloed organizations like this, internal security teams are – like risk – seen as a necessary evil.
One of the biggest shifts in risk perception a business can make is bringing in their security professionals sooner in the product development lifecycle. This behavioral shift integrates security team input earlier in the process, taking a more strategic role, rather than a simple box ticking exercise at the end.
The CISO and their team, however, do have limitations. They are best positioned to drive strategic security programs to address the balance between speed and risk – but they can only do so much. There is a finite resource issue facing them. On top of this, they will have expertise in specific areas.
In the security space, this manifests itself as having specialist knowledge of certain systems, threats or attack vectors. Building a diverse team of specialists in all relevant fields to accompany the generalists with broader business context is nigh impossible even for the most desirable employers with the deepest pockets.
Enter the ethical hacking community: there are hundreds of thousands of freelance security specialists around the world that businesses can leverage to find vulnerabilities. The sheer number of them means they can collectively work around the clock to find holes and bugs in your software. Private programs allow teams to safely leverage community expertise at any time during the product development lifecycle, sharing as much or as little information as you feel comfortable with.
Even with programs focused on testing production environments, feedback loops are much tighter - getting a vulnerability report in the hands of the development team within days or weeks of the bug being introduced reduces the window of risk and helps identify similar issues in active development areas of the application.
Some may believe that the use of ethical hackers (despite being a global force for good), replaces one risk with another - how can these third parties be trusted? In fact, some of the most successful ethical hackers in our community are reformed cyber-criminals. What is to stop them taking your valuable software and selling it to nefarious criminals on the dark web? You should absolutely be asking these questions, though you may be surprised to learn how similar the trust factors are to the forces that allow you to trust traditionally employed resources.
To be clear, it’s probably not a good idea to offer anonymous people on the web unfettered access to internal networks or pre-production software. That’s where partnering with an experienced, reputable vendor can help the security department increase speed, coverage and access to skills without compromising operational or legal risks.
Platforms like ours use transparent triage systems, controlled access and reputation mechanisms to establish a mutually trusting relationship with ethical hackers and meet legal requirements. Ultimately, the image of hackers is changing, and more businesses than ever are inviting the community of independent researchers in to hack their systems and help get things fixed.
Pragmatic security leaders know cyber-criminals are not waiting for their invitation - criminals are already constantly trying to break in. A major part of redefining and owning this cyber risk is showing cross-functional partners that working with the hackers you know is the best defense against the ones you don’t.
Ultimately, with the emergence of hacker-powered security into mainstream security hygiene, the risk vs reward dynamic is evolving. To take advantage of this, business leaders need to strategically consult their security engineers and CISOs throughout the product development lifecycle.
Using an army of hackers to discover vulnerabilities can free up internal resources to partner with developers and reduce time to market with higher-quality code going out the door in the first place. Demystify and redefine the risk and reward dynamic with the community-driven ethical hacking approach.