In my last blog, I examined why cybercrime increases during economic hardship and why innovation and vigilance are necessary to keep up. But how are organizations supposed to do this when every week I hear from CEOs and CISOs that they have to make increasingly difficult decisions over reducing headcount and budget? We recently surveyed security professionals and heard that over a third of companies made headcount and security budget cuts in the last 12 months. More expect to make similar cuts in the next 12 months.
At the same time, I hear organizations feel pressure to innovate to compete for reduced customer spending. From a technology point of view, this means more digital transformation and outsourcing, which comes with its challenges. According to the 2022 Hacker-Powered Security Report, reports for vulnerability types typically introduced by digital transformation saw the most significant growth, with misconfigurations growing by 150% and improper authorization by 45%.
The combination of reduced headcount, the introduction of new technology, and increased cybercrime results in organizations seeing their risk escalate. Sixty-seven percent of security professionals surveyed believe the reduced budget and headcount in security would negatively affect their ability to handle cybersecurity incidents.
Following conversations with leading security professionals, CISOs of some of the most secure organizations, and hackers who understand the outsider mindset, I have distilled the following advice for organizations looking to increase attack resistance without increasing spend.
Harness AI To Do More With Less
Among the main opportunities is the ability of AI to produce useful and well-written texts. Security teams produce a lot of write-ups, reports, and documents. Human oversight will always be needed to make such documents perfect, but now the drafting and heavy lifting can increasingly be outsourced to a chatbot. Cybersecurity vendors will bring untold numbers of AI innovations to bear in and around their products, and customers stand to benefit from them. The competition will be so fierce that prices for customers will remain low for a long time – an excellent opportunity for CISOs to do more with less.
However, reliance on automation and software won’t work without staffing to manage such SaaS offerings. CISOs will be forced to postpone necessary improvements of the cybersecurity posture of their company. They must buckle down and focus on only the most essential, trying to keep the lights on with solutions already deployed, and doing small experiments with new solutions where it is of critical importance. If a breach happens, all hell breaks loose.
I hear from CISOs that they want better but fewer choices. Often a security incident comes not from a bad actor but from buggy software or disgruntled employees. Why not engage the ethical hacking community to see the gaps in your security strategy? It’s hard to know the benefit of your tools unless you’re going to test your attack surface.
Manage Reduced Headcount Without Burning Out Staff By Effective Prioritization And Vendor Consolidation
One of our customers recently told us that the bug bounty program they run is comparable to hiring four full-time pentesters. They spend $200K with HackerOne annually; if a full-time pentester salary ranges from $85-250K, based on experience and skill diversity, that could cost anywhere from $340k-$1M annually for a team with limited experience, diversity, and skillsets.
For significantly less outlay, companies can get access to a diverse range of expertise and knowledge. Hackers bring their outsider mindset to your system’s defenses and let you know quickly where your vulnerabilities are and how you might remediate them. Hackers supplement your internal teams, reduce internal burnout, and make your organization more successful overall.
One customer I spoke to tripled their spend with HackerOne in order to save half of a bigger budgetary number – helping to reduce the pressure to cut headcount. By employing our crowdsourced model they could make significant savings on functions they had been outsourcing to traditional and more expensive vendors. Triage, security analysis, pentesting, and other services can today be obtained cost-effectively from a vendor of crowdsourced security services.
Innovate Securely By Testing Throughout The Software Development Life Cycle (SDLC)
According to the Systems Sciences Institute at IBM, the cost to fix a bug found during implementation is about six times higher than one identified during design. The cost to fix an error found after product release is then four to five times as much as one uncovered during design, and up to 100 times more than one identified during the maintenance phase. The cost of a bug grows exponentially as the software progresses through the SDLC.
HackerOne customer, AS Watson, used hacker findings to build a new secure code training program for their development teams, monitoring the trends of vulnerabilities and leveraging them to build a training baseline to reduce risk. The training program has helped them increase the quality of the code and reduce vulnerabilities, shifting left as much as possible to secure the SDLC. Their CISO noticed a decrease in total valid reports over the years and reported lowered costs remediating issues in live environments.
Reduce The Risk Of Cybercrime By Having An Outsider Mindset To Identify Security Flaws
It’s riskier to not have an ethical hacking program than to run it. Getting breached or attacked is not a question of if but when. If the most risk-averse organizations are using hackers, you should be too. The U.S. Department of Defense (DoD) was a front-runner in realizing the need to have the outsider mindset protect national security. Since the launch of Hack the Pentagon in 2017, hackers have uncovered more than 45,000 vulnerabilities for the DoD.
You cannot find a replacement for humans when it comes to testing software, whatever additional tools you might use. Humans create problems in the first place, and criminals are successful because they harness the human mind.. The solution needs to be human too. The hacking community far outnumbers the cybercriminals, and 92% of hackers say they can find vulnerabilities scanners can’t.
A report on HackerOne is submitted every 2.4 minutes, and new customer programs receive an average of 4 high or critical valid vulnerability reports in the first month.
Get A Better Understanding Of Where Risk Originates From By Practicing Transparency, Blameless Retros, And Open Learning As Things Unfold
Being transparent about vulnerabilities is not a weakness and can positively impact your bottom line. Brands like Norsk Hydro and FireEye demonstrated transparency and successfully overcame cyber incidents with their balance sheet intact.
We publish all our vulnerability reports. We recently received a report from a hacker about a vulnerability in a piece of imaging software we use. We’re not immune to the third-party software risk every company experiences, but we highlight our weaknesses as the best way to fix them. Disclosure has been a core value since we started this company. Organizations must get more comfortable opening themselves up to scrutiny. Sharing vulnerability information is how we build a safer internet and how you can build trust with your customers.