Cybersecurity researchers and ethical hackers work against bad actors for the good of society. But who are these security researchers? Ashish Gupta, CEO at Bugcrowd, spoke to Adrian Ludwig, CISO at Atlassian, to get the lowdown on his journey from hacker to security executive, how he manages security for such a diverse IT environment, and how he’s bringing crowdsourced security to the wider community.
How did you end up working in cybersecurity?
Adrian: I started out at the NSA – mainly because they offered to pay for me to go to college, which was an opportunity I might have missed out on otherwise. I was originally interested in cryptography, but then I discovered something even more exciting – ethical hacking. Following my time at the NSA, I had security roles at Adobe Systems and Android. I also spent several years consulting, which involved helping to find vulnerabilities in various web apps and operating systems. In 2018, I joined Atlassian as CISO, so now I’m responsible for protecting assets from the inside.
How has cybersecurity changed over the years in your experience?
Adrian: For me, cybersecurity has always been about trying to solve interesting problems, but the landscape has evolved, which has demanded a different approach. Early on, security was primarily seen as a technical issue, whereas now, a lot of the problems in the security space are organizational, so that’s where I try to focus – on people, process, and organization.
Having been on both sides, can you share any insights into the relationship between hackers and security personnel?
Adrian: Twenty years ago, the two communities didn’t interact much – the hackers and the people building defenses were pretty separate. Most people didn’t have a very good grasp of bug hunters at all, to be honest – there was just their glorified image in movies like Hackers or The Matrix. Now, I think there’s a much better understanding of what attackers do and how they work, and greater interaction between those communities.
You’re responsible for security for a large and diverse IT environment – how do ensure everything gets fixed?
Adrian: I don’t think it’s always necessary, or even possible, to fix absolutely everything. My job is more about identifying the right things to fix. A lot of it is pretty basic – making sure you’re updating and patching systems on a regular basis and frequently checking your infrastructure. With continuous updates, you create an environment that’s much harder for an attacker to get to grips with, and if you’re interacting with the environment regularly you’re more likely to identify anomalies that could indicate a problem. One of the key lessons I’ve learnt over the years is that it’s impossible to know about everything in a modern enterprise, so I don’t expect to. I trust in my team and each member’s ability to handle their specific area of responsibility. It’s a strategy that’s working so far – we’re well-equipped to defend against any potential attack.
Why do you use crowdsourced security?
Adrian: We’re bound to have some blind spots, and they’re what concern me the most. But that’s where diversity comes into play. With people from various different backgrounds and with a multitude of experiences, we’re more likely to pick up issues faster. That’s why working with a broad set of people outside the Atlassian environment to look at our systems is incredibly important. No matter how much pen testing we do, no matter how many internal evaluations or analysis tools we run, it’s always going to be beneficial to have other people checking our environment. It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.
How are you bringing crowdsourced security to the wider community?
Adrian: At Atlassian, we have a whole ecosystem of partners creating applications that plug directly into the Atlassian infrastructure to extend its functionality, and we make their applications available via our ecosystem marketplace. Many of these partners are fairly small development companies that don’t necessarily have enough employees to warrant a CISO or even a full-time security person – certainly nobody that’s dedicated their life to security. We’ve put a lot of effort into working out how to give those smaller developers access to security talent and robustness. Some of this involves proactive reviews on our part, but we’re also starting to expand our bug bounty program to include coverage for the marketplace as well, so they can leverage the benefits that we’re getting. It’s good for them, good for us, and of course better for our customers as they know they can trust the security of marketplace products as much as our own.
“It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.” Adrian Ludwig, CISO, Atlassian
To find out more about Adrian and his work at Atlassian, go to https://www.atlassian.com/blog/technology/a-conversation-with-adrian-ludwig-our-ciso