More Than Bounty: Beating Burnout with Hacker-Powered Security
A career in security is hardly dull or static. Nor would those attracted to the industry want it to be. On the contrary -- we often hear that people are drawn to the constant challenge and opportunity to learn new systems and weaknesses.
Still, there is much to be said for balance. As a leader, ensuring you and your employees achieve this balance is a big part of your job. And with an estimated 300,000 open computer security positions in the US alone, keeping top talent from burning out and leaving is a high priority.
Unfortunately, a new report reveals that burnout rates in the industry are at an all-time high. 91 percent of security pros report constant stress and a third of CISOs fear they’d lose their job over a breach.
When we pause to consider just how fast the technology landscape is changing, and how much pressure development teams are under to deliver new products and features, it’s easy to see how the race to stay ahead of attackers can become overwhelming.
We really like how the CEO of Nominet, the company that underwrote the above-mentioned report on burnout, put it in his introduction:
Being the pragmatic sector it is, our focus tends to be on technical solutions to technical problems. However, step back and technology is just the plain on which the battle manifests. At the start and end of every attack, there are people; whether this is a criminal launching attacks or a security team trying to stop them. Understanding them is therefore crucial.
Embracing this “people-first” security perspective, this blog outlines the role hacker-powered security plays in helping companies achieve two central talent goals:
- Hiring top security talent
- Retaining more top talent by warding off burn out
Hacker-powered Security as Talent Pipeline
Many HackerOne customers hire hackers from their bounty program as full-time employees. And it makes great sense, whether you're talking a private or public bounty program.
In a private program, you specify the number of hackers you want and the skills they need to bring to the table. You can also filter by reputation, signal, and impact. And for organizations with particularly sensitive assets (and/or legal teams), HackerOne Clear offers background-checked hackers and a suite of additional controls to retain visibility.
Before you even start, you’ve screened hackers so you know you’re getting the ones with the knowledge, skills, and background you need. And then you get to see them operate over the course of several months—how they think, how they write, and how they interact with your applications, environment, and, most importantly, with your security team.
Hacker-powered Security as Liquid Stress Reliever
As new technologies emerge, so do new types of vulnerabilities. Keeping up can seem daunting. Recent Symantec research found that this can lead to security professionals feeling like they’re falling behind.
The nearly 500,000 hackers in the HackerOne Community possess every imaginable skill. By putting this community to work, you can instantly expand your security coverage. Not only does this have the very practical, and visible, effect of strengthening your security posture, it also frees up internal teams to focus on core DevSecOps processes, significantly relieving stress and cutting down on burnout.
CSO of HackerOne customer Sumo Logic George Gerchow put it this way:
The diverse perspectives and creativity of the participating hackers was astounding. Some of these vulnerabilities would never have been found otherwise. The community and HackerOne’s team served as a complement to and extension of our internal security team, allowing us to scale on a moment’s notice, and exceed compliance standards.” Read the full Sumo Logic customer story here.
Nextcloud Founder Frank Karlitschek echoes the sentiment, saying, “We obviously can’t hire enough engineers to protect against every possible vulnerability, but we can use our bug bounty program to add on-demand expertise where we need it and continuous coverage nearly everywhere else.” You can check out the Nextcloud customer story over here.
Shopify, the leading commerce platform company, has used HackerOne both to scale their security capacity to match their explosive growth, and to hire talent. In the words of their CEO Tobi Lutke, “One of the best ways for us to augment our internal security team is to work with the white-hat community. This was a pain before HackerOne but now is significantly easier.”
When Andrew Dunbar, Director of Risk and Compliance, joined Shopify in 2012, he was the sole security employee for the organization. The security team has since grown to over 50, including one of the hackers from Shopify’s HackerOne program.
In 2017, Shopify hired one of HackerOne’s top 100 hackers, Pete Yaworski, for an in-house role on their security team. The relationship began at the H1-415 live-hacking event in San Francisco. “At Shopify, I get to work with incredibly smart people who are driven by a larger cause,” Pete said. “There are real-world impacts I see as a direct result of my work, not only for Shopify but for everyone who interacts with our platform.”
Whether your top concern is fluidly expanding security coverage, reintroducing your security team to sanity, or improving your talent pipeline, HackerOne is your strongest ally.