Phil Venables, senior advisor and board director at Goldman Sachs, has seen more than his share of highs and lows in the security world. The former Goldman Sachs CISO has held senior-level information security roles at Deutsche Bank, Standard Chartered Bank, and Barclays Bank over the past 25-plus years -- which was why we were so thrilled when Phil shared his insights at our annual Security@ 2019 conference.
Phil’s fireside chat with Bill Gurley, HackerOne board member and general partner at Benchmark, covered risk and hacker-powered security as they apply to every organization of any size, not just financial services behemoths like Goldman Sachs. In fact, Phil discussed why security is too important to be left to security experts, and that we must start building security into the entire software development lifecycle (SDLC). He also shared his experiences with the hacker community and how he started incorporating hackers decades ago into his organization’s nascent security processes.
Here’s what else Phil had to say.
Getting Started with the Hacker Community
In the early days of information security, incoming vulnerability reports were met with confusion. Processes weren’t in place to handle these friendly notifications, and even the notification process itself was obscure. This set off a lightbulb for Phil: the only way to harness the power of these insights was by working with the hacker community.
“We should have a means by which people can notify us,” Phil recalled thinking. But just a notification mechanism wasn’t enough. An incoming vulnerability report would set off an entire machine of effort and response, which few organizations were ready to handle. That eventually evolved into his team starting to think about the logistics of handling incoming reports, and then determining how they would be managed internally, how the interaction with the hacker would be managed, how engineering would be involved, and more.
“When people see a flaw in what you’re doing, most people actually want to tell you,” Phil said. Pointing to the lack of simple communication basics, Phil added that most hackers “just want acknowledgement” that their message was received.
“When you don’t have a means to interact, that’s when you get tension.”
As Phil began building a process for handling incoming reports, he started expanding his use of hacker-powered security. Over the next 18 to 24 months, they moved from easing notifications to private bug bounty programs and eventually to public programs.
Building a Security-Aware Organization
Security awareness is critical for any organization of any size. As the saying goes, security is everyone’s job. But instilling a sense of security takes work and it takes communication. When communicating up to the leadership team, their familiarity with technology can help you frame the conversation. It’s also important to help leadership understand how hacker-powered security works and why visibility and transparency are better than the alternatives.
Ignoring the gaps isn’t a solution, Phil says, and you might need to convince leadership that you can reduce risk simply by knowing that bugs exist. That’s a fundamental benefit of working with the hacker community. “If you don’t know about (the bugs), the risk hasn’t changed,” he added.
Phil also recommended explaining and justifying your security efforts around benefits rather than specific bugs or issues resolved. What is your team learning? How has engaging the hacker community helped? Where has it helped improve processes? How has your security and development team structures changed because of working with the community?
Relatedly, Phil emphasized how hackers empower businesses to scale their security infrastructure. Hacker-powered security allows customized testing to fit the needs of any security team at any stage of the SDLC. So small startups can add hacker-powered security from day one, or large organizations can bring hackers in where it best fits. The goal is to avoid breaches that could derail deals, impact customers, and affect partners, which would all eventually impact revenues. That’s what can really help to get executives on board with the benefits of hacker-powered security.
Once leadership understands the breadth of benefits from hacker-powered security, then you can start to include more areas of your organization into the conversations. From there, Phil says it’s all about speed and showing results.
“Everything is a game of speed,” he added, and your goal is to make the security cycle as fast as possible. “All software has some degree of bugs. The quicker we can find and fix them is an approach that is intuitive and obvious to everyone.”
Extending Hacker-Powered Security
Hackers are an important part of every organization’s security apparatus, but they aren’t the only part. “This is but one very important piece of the collective armory of defense,” Phil said. In the future, he predicts that we’ll see the “opportunity for these types of community approaches to go even broader.”
When looking to the future, Phil sees hacker-powered security playing a central role in the interconnectedness of software and organizations. As more companies connect their systems with customer and supplier and partner systems, their security scopes increase accordingly. That extends the conversation beyond just your third-party systems and into what Phil terms fourth-party systems.
Going even further, Phil talked about the common discovery of vulnerabilities exposed by an organization’s implementation of third-party apps. While individual vulnerabilities may have been caused by the organization themselves, there may also be underlying risks in the third-party apps themselves. Phil says he sees an opportunity for hackers to dig deeper into those bugs for a larger potential reward, since a solution would reduce the risk for everyone who uses the technology.
Phil also says he expects the value of hackers and their efforts to continue to grow, especially as more hackers gain a greater understanding of organizational complexities and processes. He mentions seeing a higher level of engineering professionalism, and more familiarity with the intricacies of enterprise logistics, processes, and internal workings.
Ultimately, however, Phil says that hacker-powered security is a helpful tool in reducing risk and improving security, but it’s mostly about transparency. If you don’t know a bug exists, you can’t fix it. If your organization isn’t on board with that, your work is cut out for you.
“If you don’t have an organization that fundamentally believes you’re best knowing (about security gaps), then you probably need to do that education first.”