With Valentine’s Day quickly approaching, we’re all seeing the telltale signs—pink and red aisles at the grocery store, reservations for prix fixe menus at restaurants, and local flower shops bursting at the seams.
These sightings have me thinking about a phrase we’ve said here at Bugcrowd for almost a decade now—”the unlikely romance between hackers and security teams.” We’ve been talking about this surprising dynamic for years, and as the CISO at Bugcrowd, I’d like to share my thoughts specifically on the relationship between hackers and CISOs/security leaders.
What exactly does an “unlikely romance” mean?
To truly understand this “unlikely romance,” you first need to understand what I mean when I say “hacker.” Defining a hacker is harder than one might think. Most people probably consider a hacker and a cybercriminal to be one in the same. Merriam-Webster defines a hacker as “an expert at programming and solving problems with a computer.” That doesn’t sound like a cybercriminal, does it?
“Hacker” is the dominant self-descriptor used by the cybersecurity community to refer to “the good guys.” Other terms you may have heard include ethical hackers, white hat hackers, and security researchers. The confusing part is threat actors, aka “the bad guys,” also call themselves hackers. For my purposes in this blog (and the rule of thumb at Bugcrowd), when I say “hackers,” I’m talking about the good guys.
There is so much misinformation out there about the hacking community. Long-standing stereotypes of faceless criminals in hoodies come from pop-culture depictions. These stereotypes lead to assumptions that CISOs are actively fighting against hackers. This is where the concept of an “unlikely romance” really comes into play. People expect CISOs and hackers to be working against each other, not together for the greater good.
Hackers + CISOs = ♥️?
Some of the challenges security leaders are facing may feel like old news, but that doesn’t make them any less relevant to our strategic initiatives. For example, the cybersecurity skills gap has been the subject of many articles, yet it is still a major struggle for security teams around the world. ISC2’s recent study found that the cybersecurity skills gap grew 12.6% last year, even though the cybersecurity workforce grew by 8.7%.
Pair this with the fact that the attack surface is always evolving, it really creates a perfect storm. There is always the next “big threat” looming—for example, right now, it’s AI threats. CISOs simply don’t have the time or resources to constantly adapt to prepare for what’s next while still dealing with the pressure that comes from an under-staffed team.
I’m speaking with a lot of fellow CISOs at the moment who are looking to counter this challenge and the cybersecurity skills gap and help their security teams scale by broadly adopting the crowdsourcing of human intelligence via the hacker community. Partnering with hackers helps continuously weed out unique or previously unidentified vulnerabilities that their internal offensive security teams cannot—not just from a technical point of view, but also from time to scale-up or go deep in “breaking” new technology perspectives.
CISOs should be partnering with hackers to extend the reach of their security teams and proactively secure their attack surface or find that hidden “golden nugget” of a bug. This partnership can be achieved at scale through a trusted crowdsourced security vendor.
One statistic from Inside the Mind of a Hacker that really shatters hacker stereotypes is the fact that 77% of hackers report working in IT or cybersecurity full time. That’s right—over three quarters of hackers work in traditional IT or cybersecurity roles. Chances are, you probably have someone on your security team right now who hacks on the side on the Bugcrowd Platform.
In my personal view, partnering with hackers does not increase operational risk; instead, it only decreases risk, as it enables the earlier identification of vulnerabilities harvested by experts in the security community before attackers can discover and exploit them.
Building a relationship that can go the distance
We’ve established the need to work with hackers via crowdsourced security models, but how do CISOs:
- Find the right hackers to work with
- Develop long-lasting, mutually beneficial relationships with hackers
To extend the Valentine’s Day/unlikely romance theme, they say there are a lot of fish in the sea, but most people aren’t looking for all of the fish…they’re looking for the right fish.
It’s the same with hackers. Some crowdsourced security companies throw bodies at the problem, thinking a higher quantity brings better results. That’s not exactly true. You want to look for quality in the hackers you partner with, not quantity.
To do this, leverage a company like Bugcrowd that expertly pairs organizations with hackers based on skill sets, target types, and precisely the right experience. For example, Inside the Mind of a Hacker found that 70% of hackers identify web applications as their area of hacking specialization. By nature of that fact, three quarters of hackers other vendors pair your organization with would have that specialty…but what if you’re looking for network pen testing or recon/asset discovery? Blindly throwing bodies at a problem is just going to create noise and not give you the best solution. You need the right hackers with the right skill sets for your specific situation.
By the way, if you’re still on the fence about working with hackers, you can always take a crawl, walk, run approach. By leveraging a select number of curated hackers with small-scope proof of value (POV), CISOs can safely and effectively mitigate the perceived risk of crowdsourced security. Running this POV gives a CISO’s team familiarity with the platform, triage services, and customer success capabilities. As CISOs become more accustomed to the crowdsourced model, they are likely to go wider and deeper— sometimes straight to a public program to glean the ultimate benefits from a bigger, more diverse community of hackers.
Going back to my second point, it isn’t just about finding the right hackers, it’s also about nurturing good relationships with them. By investing in your organization’s relationship with the hacker community, you’ll foster goodwill, more continuous testing, and attract more hackers to your programs.
Ways to foster these relationships include responding to hacker submissions quickly, investing in a crowdsourced security platform with excellent triage capabilities, and offering program rewards within market ranges.
How Bugcrowd can help
Crowdsourced security platforms like Bugcrowd make the unlikely romance between hackers and CISOs possible. By leveraging penetration testing as a service, vulnerability disclosure programs, and managed bug bounty programs, CISOs can expand their team’s reach, partnering with the hacker community as an extension of their team.