Why This Moment In Cybersecurity Needs Hackers To Protect All Software
Originally published in Security Magazine
When the pandemic hurled us into a cybersecurity crisis, there were some who held out hope that things would eventually return to normal. By now, we know those hopes were misguided, and the picture has only grown darker with time. According to the World Economic Forum, cybercrime now poses the greatest threat to businesses today. Populations of entire countries are at heightened risk, with Microsoft finding that nation-states are increasingly targeting critical infrastructure. Today's digital threat actors have attained a degree of sophistication and savvy that has boggled cybersecurity veterans, who are struggling to keep up with their advanced and increasingly destructive methods.
Given this pressure to compete with cybercriminals, you’d expect organizations to make eager use of every cybersecurity tool at their disposal. And yet countless organizations continue to ignore one of the most effective and time-tested cybersecurity tools we have: the ethical hacker.
By 2023, I’d have hoped the global hacker community would be a widely accepted, routine part of every company's cybersecurity toolkit—as mundane and uncontroversial as firewalls or security hygiene training. After all, hackers have been a respectable part of the cybersecurity world for nearly 30 years now, ever since Netscape pioneered the first bug bounty program in 1995. In the years since, companies like Microsoft, Facebook, and Google have all implemented—and doubled down on—their own hacker-driven programs.
These tech giants are not the kinds of organizations known for willingly putting themselves at risk. Neither, for that matter, is the U.S. Department of Defense (DoD), which, over the years, has received more than 46,000 actionable vulnerability reports from a worldwide community of nearly 5,000 hackers. We are talking about some of the best-advised, best-fortified, most technologically advanced organizations, staffed by intelligent people who are highly incentivized not to screw things up for their employers.
Hackers are good enough for them. So why, after all this time, are so many still hesitant to trust hackers?
On one level, it's a branding problem: for too many, the term “hacker” still brings to mind people with malicious intent. However, given how much hackers have contributed to the safety of our current cybersecurity landscape, to perpetuate this outdated image in 2023 is no longer just misinformed, it hinders the future safety of the internet. As Gartner has pointed out, cybersecurity programs must be human-centric, or else they will fail.
Put otherwise: companies that don't make use of hackers are putting themselves at higher risk.
Why hackers thrive where technology fails
You can't plan for the things you can't know in advance. Yes, every sensible company tests its code before production, but many security vulnerabilities don't exist until the code is actually deployed—until it's really out there in the world. Allowing an outdated fear of hackers to prevent you from getting a comprehensive picture of your security vulnerabilities is fundamentally irrational—and self-defeating. Real-life testing—the kind only hackers can offer—is indispensable. You simply cannot get the same results from any other method.
Secondly, there's the human element to consider: where testing software can only find known unknowns, humans are gifted with the ingenuity to find the unknown unknowns, the vulnerabilities you wouldn’t even know to look for in the first place. And because these hackers are not part of your organization—because they're coming in from the outside, their sight is unclouded by the bias that builds from working on the same product month after month, year after year. This is no small thing in light of the fact that 95% of applications or systems have at least one vulnerability.
But potential bias isn't the only in-house limitation. There is also the fact that, owing at least in part to the ongoing IT skills gap, most companies do not have the personnel to accommodate the kinds of continuous testing that true safety requires. The supply of hackers, on the other hand, is nearly unlimited—the worldwide community is so large that testing can be conducted continuously by a wide range of experts equipped with different yet complementary skill sets.
Hackers get results
The potential results here are far from abstract.
For one thing, hackers will inevitably surface vulnerabilities that are unfindable by any other method. Also, hackers won’t inundate your IT teams with irrelevant and distracting false positives, which are endemic to most cybersecurity programs.
Fewer and fewer companies are still holding out on hackers: by now, their indispensability to security practices is the common consensus. According to a survey HackerOne conducted at RSA, 88% of cybersecurity professionals believe that ethical hackers can have a positive impact on cybersecurity. Among those holdouts, you continue to hear one common concern—namely, that these places don't want to have to deal with finding and coordinating the relevant hackers. But this concern, too, is outmoded, as many companies now exist that can take care of all of this work for them.
All this would be important even if things were relatively calm in the world of cybersecurity. Cybercrime has entered its steroid era: the enemy is stronger than ever, and even a moment's lapse in vigilance can spell disaster for a company. If hackers were just a third as effective as long experience has demonstrated them to be, it would be malpractice not to make use of them. Hackers’ research and responsible reporting has managed to avert thousands of crises over the years and continue to do so. Don’t let false, obsolete notions about hackers imperil your company’s safety.